In May 2024, Ascension Health, one of the largest Catholic healthcare organizations in the United States, became the victim of a ransomware attack that impacted nearly 6 million people. The cyberattack compromised sensitive personal information, including medical records, insurance details, Social Security numbers, government IDs, and payment information. Hackers gained access to Ascension’s network systems, forcing the organization to operate manually for weeks. As a result, numerous hospitals across 19 states experienced significant disruptions, including canceled appointments, delayed emergency care, and diverted ambulances.
The breach affected 5,599,699 individuals, and Ascension has since offered those impacted two years of free identity protection services. The healthcare giant also provided access to a $1 million insurance reimbursement policy for those affected by fraud incidents. Despite initially claiming only a limited amount of data was stolen, Ascension later revealed the full extent of the breach, which included critical health information and other personal details.
The attack had a profound impact on the operations of Ascension’s 140 hospitals and 35,000 affiliated providers. Medical professionals struggled to access patient records, delaying vital treatments and procedures. In one Michigan hospital, nurses reported waiting hours for head CT scans on patients with suspected strokes, leading to significant concerns about patient safety. The disruption of electronic medical records also forced healthcare staff to rely on manual systems, including communal Google Docs, to manage prescriptions and medical information.
The Black Basta ransomware gang is suspected to be behind the attack, although the group has not formally claimed responsibility. The breach has led to multiple class action lawsuits from patients whose sensitive information was exposed. As Ascension works to recover from the incident, the breach has raised significant concerns about cybersecurity in the healthcare sector and the potential risks to patient safety when such attacks occur. With numerous similar breaches in the healthcare industry, the ongoing investigation highlights the critical need for enhanced cybersecurity measures to protect personal and medical data.
