HQ/EMEAFind out how we can help your business
Ascension, one of the US’s most prominent private healthcare systems, has disclosed that a data breach reported last month exposed the personal and healthcare information of more than 430,000 patients.
According to a breach notification sent to potentially affected individuals last month, the compromised information was stolen during a data theft attack that targeted a former business partner in December.
Depending on the patient, the attackers accessed personal health information related to inpatient visits, such as physician names, admission and discharge dates, diagnosis and billing codes, medical record numbers, and insurance provider names.
They also obtained personal information, including names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers (SSNs).
The Ascension data breach was uncovered in December last year.
Ascension stated that it first became aware of a potential security incident involving patient data on December 5, 2024, and immediately launched an investigation to determine the scope of the breach.
The investigation later revealed, on January 21, 2025, that the company had inadvertently disclosed patient data to a former business partner and that this information was likely stolen due to a vulnerability in third-party software used by that partner.
While Ascension did not initially specify how many patients were affected, a filing on April 29 confirmed that 114,692 individuals in Texas were impacted.
Additionally, the company reported to the Massachusetts Office of the Attorney General that 96 state residents’ medical records and SSNs were compromised.
A separate filing submitted to the US Department of Health & Human Services (HHS) on April 28, published only recently, disclosed that the breach affected 437,329 individuals.
To support those impacted, Ascension offers two years of free identity monitoring provisions, which include credit monitoring, fraud consultation, and identity theft restoration.
Although details about the breach involving the former business partner remain undisclosed, the timing suggests it may be linked to the broader Clop ransomware attacks that exploited a zero-day vulnerability in Cleo secure file transfer software.
