Ascension, one of many largest personal healthcare methods in america, is notifying sufferers that their private and well being data was stolen in a December 2024 knowledge theft assault, which affected a former enterprise accomplice.
The well being community operates 142 hospitals nationwide, has over 142,000 workers, and has reported a complete income of $28.3 billion in 2023.
“On December 5, 2024, we realized that Ascension affected person data might have been concerned in a possible safety incident. We instantly initiated an investigation to find out whether or not and the way a safety incident occurred,” Ascension says in knowledge breach notifications despatched to affected people.
“Our investigation decided on January 21, 2025, that Ascension inadvertently disclosed data to a former enterprise accomplice, and a few of this data was seemingly stolen from them on account of a vulnerability in third-party software program utilized by the previous enterprise accomplice.”
Relying on the impacted affected person, the attackers gained entry to a mixture of private data, together with title, deal with, telephone quantity(s), e mail deal with, date of beginning, race, gender, and Social Safety numbers (SSNs).
They may additionally entry private well being data associated to inpatient visits, together with the doctor’s title, admission and discharge dates, prognosis and billing codes, medical report quantity, and insurance coverage firm title.
Although the breach notifications did not embody any data concerning the whole variety of sufferers who had their knowledge uncovered on this breach, the healthcare system mentioned in an April 28 submitting with Massachusetts’ Workplace of the Lawyer Normal that 96 MA residents have been affected and had their medical information and SSNs uncovered within the incident.
Ascension now affords two years of free identification monitoring providers, together with credit score monitoring, fraud session, and identification theft restoration to these affected by this knowledge breach.
Whereas the corporate did not share any extra particulars concerning the breach impacting its former enterprise accomplice, the timeline of the breach implies the assault was a part of a sequence of Clop ransomware knowledge theft assaults that exploited a zero-day flaw in Cleo safe file switch software program.
An Ascension spokesperson was not instantly obtainable for remark when contacted by BleepingComputer earlier right now.
Final yr, Ascension notified practically 5.6 million sufferers and workers that their private and well being knowledge had been stolen in a Might 2024 Black Basta ransomware assault. After the incident, Ascension revealed that the ransomware breach resulted from an worker who downloaded a malicious file onto an organization system.
