Ascension, one of many largest personal healthcare programs in america, is notifying sufferers that their private and well being data was stolen in a December 2024 information theft assault, which affected a former enterprise associate.
The well being community operates 142 hospitals nationwide, has over 142,000 staff, and has reported a complete income of $28.3 billion in 2023.
“On December 5, 2024, we discovered that Ascension affected person data could have been concerned in a possible security incident. We instantly initiated an investigation to find out whether or not and the way a security incident occurred,” Ascension says in data breach notifications despatched to affected people.
“Our investigation decided on January 21, 2025, that Ascension inadvertently disclosed data to a former enterprise associate, and a few of this data was doubtless stolen from them as a result of a vulnerability in third-party software program utilized by the previous enterprise associate.”
Relying on the impacted affected person, the attackers gained entry to a mix of non-public data, together with identify, tackle, telephone quantity(s), electronic mail tackle, date of start, race, gender, and Social Safety numbers (SSNs).
They may additionally entry private well being data associated to inpatient visits, together with the doctor’s identify, admission and discharge dates, analysis and billing codes, medical report quantity, and insurance coverage firm identify.
Regardless that the breach notifications did not embrace any data relating to the overall variety of sufferers who had their information uncovered on this breach, the healthcare system stated in an April 28 submitting with Massachusetts’ Workplace of the Legal professional Basic that 96 MA residents had been affected and had their medical data and SSNs uncovered within the incident.
Ascension now affords two years of free id monitoring providers, together with credit score monitoring, fraud session, and id theft restoration to these affected by this data breach.
Whereas the corporate did not share any extra particulars relating to the breach impacting its former enterprise associate, the timeline of the breach implies the assault was a part of a sequence of Clop ransomware information theft assaults that exploited a zero-day flaw in Cleo safe file switch software program.
An Ascension spokesperson was not instantly accessible for remark when contacted by BleepingComputer earlier right this moment.
Final 12 months, Ascension notified practically 5.6 million sufferers and staff that their private and well being information had been stolen in a Could 2024 Black Basta ransomware assault. After the incident, Ascension revealed that the ransomware breach resulted from an worker who downloaded a malicious file onto an organization system.
