HQ/EMEAFind out how we can help your business
Ascension, a large private healthcare system in the US, has confirmed that nearly 5.6 million individuals have been affected by a data breach resulting from a ransomware attack. The breach, linked to the notorious Black Basta ransomware group, occurred in May 2023 and involved the theft of sensitive personal and health information.
The healthcare giant, which reported $28.3 billion in revenue in 2023, operates 140 hospitals and 40 senior care facilities across the country. Following the attack, Ascension began notifying 5,599,699 patients and employees about the breach via postal mail.
To support those impacted, the organisation is offering two years of free identity theft protection through IDX, which includes CyberScan monitoring and a $1,000,000 insurance reimbursement policy.
Ascension reported a breach caused by an employee’s accidental download of a malicious file.
The breach was reported to law enforcement and government agencies, including the FBI and CISA, after suspicious activity was detected on 8 May. In its notification, Ascension revealed that the attack was likely initiated when an employee mistakenly downloaded a malicious file, allowing attackers to access certain systems. Despite the error being unintentional, the incident had far-reaching consequences.
The stolen data holds an extensive range of personal and medical data. It includes details such as medical record numbers, lab test information, and procedure codes, as well as payment data like credit card and bank account numbers. Insurance details, including Medicaid and Medicare IDs, were also compromised, along with government identification numbers such as Social Security and tax IDs. Other personal details, including addresses and dates of birth, were also affected, though the type of information stolen varied between individuals.
The attack disrupted operations across the healthcare network, forcing Ascension to take systems offline on 8 May to contain what was initially described as a “cyber security event.” The breach rendered the MyChart electronic health record system, as well as systems for ordering tests, procedures, and medications, inaccessible. Staff were forced to rely on paper records, and non-urgent procedures, tests, and appointments were temporarily halted. Emergency services were also diverted to prevent delays in patient care.
The Black Basta ransomware group, suspected of orchestrating the attack, has been active since 2022 and is known for targeting high-profile organisations, particularly in the healthcare sector. Reports indicate that the group has collected over $100M in ransom payments from over 90 victims.
While the group has yet to claim responsibility for the Ascension breach publicly, its accelerating attacks on healthcare providers have raised significant concerns about the sector’s vulnerability to ransomware threats.
