Ascension Ransomware Attack Affects 5.6 Million Patients
In May 2024, Ascension Health suffered a ransomware attack; however, it has taken months to determine how many individuals were affected. The data breach was reported to the HHS’ Office for Civil Rights (OCR) in July 2024 using a placeholder figure of 500 affected individuals, as is common when the HIPAA Breach Notification Rule reporting deadline is approaching, and the investigation and data review are ongoing.
On or around December 19, 2024, the OCR data breach portal was updated and Ascension Health’s 500 estimate was changed to 5,599,699 records, which makes it the third largest healthcare data breach of the year, behind the Change Healthcare ransomware attack (100 million records) and the Kaiser Foundation Health Plan tracking technology data breach (13.4 million records).
Ascension announced it was dealing with a cyberattack in May 2024, then issued an update in June confirming patient data was stolen in the attack; however, at that time it was unclear exactly what data types were involved and how many individuals had been affected. Since then, Ascension has been working with third-party specialists to review the affected data. In the latest update on December 19, 2024, Ascension confirmed that the data review has been completed and individual notification letters are starting to be mailed to the affected individuals. The notification process will likely take 2-3 weeks, so it could be January 2025 before some letters are received.
Ascension is offering a new credit monitoring package which will run for 2 years from enrollment date. This package differs from the one offered by Ascension in July 2024. That means individuals who signed up for the credit monitoring services earlier this year will need to sign up again to ensure they receive the full 2-year service.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The types of data involved vary from individual to individual; however, Ascension Health is unable to determine the compromised data for each individual. As such, anyone receiving a notification letter should assume that all of the data types below could have been compromised and should take appropriate precautions, including signing up for the free credit monitoring services as a priority and monitoring their accounts and explanation of benefits statements for signs of fraudulent activity.
Data Potentially Stolen in Ascension Ransomware Attack
- Personal information – Name, address, date of birth
- Medical information – Medical record number, date(s) of service, type(s) of lab tests, procedure codes
- Payment information – Credit card information, bank account number
- Insurance information – Medicaid/Medicare ID, policy number, insurance claim
- Government identification – Social Security number, tax identification number, driver’s license number, passport number
Ascension said it has found no evidence that the ransomware group gained access to electronic health records or other clinical systems, so full medical histories have not been stolen. Anyone concerned about the data theft can find out more about the credit monitoring services at https://response.idx.us/ascension/, or by calling the Ascension helpline – (866) 724-3233 – which is manned from 8:00 a.m. to 8:00 p.m.
September 20, 2024: Ascension Ransomware Attack Hurts Financial Recovery
The May 2024 ransomware attack on St. Louis, MO-based Ascension has taken a considerable financial toll on the company. The attack forced Ascension to divert ambulances, close pharmacies, take critical IT systems offline and resort to pen and paper to record patient information. The attack affected a large percentage of its 136 hospitals across the United States. It took Ascension around 6 weeks to restore access to its electronic medical record system and resume normal operations, but its investigation and data review are still ongoing. Ascension has yet to publicly announce how many individuals had their protected health information stolen in the attack.
On September 17, 2024, Ascension published its fourth quarter fiscal year results which show an $1.8 billion operating margin loss by the end of its fiscal year. Ascension reported an operating loss of $332 million for the first 10 months of the fiscal year to April 30, 2024 – a significant improvement from the $1.9 billion loss for the same period the previous year. Ascension has been struggling to recover financially from the COVID-19 pandemic and reported losses of almost $3 billion last year while it attempted to rebuild patient volumes and reduce expenses growth.
Ascension reported losses of $79 million from recurring operations for the first 10 months to April 30, well down from the $1.2 billion loss for the same period the previous year. While the health system appeared to be on track to make a strong financial recovery, it was hit with a ransomware attack. The inclusion of its operating performance for May and June 2024 meant “a significant portion of Ascension’s year-over-year financial improvements were reduced.”
According to Ascension, the ransomware attack caused delays in revenue cycle processes, claims submission, and payment processing, in addition to significant remediation costs. As a result, there were negative impacts on operations and cash flows in May and June 2024. Facility volumes dropped by 8%-12% during May and June compared to the previous year mostly because of the need to delay or reschedule medical procedures due to systems being taken offline due to the ransomware attack.
For the 10 months to April 30, 2024, Ascension reported a 5.2% increase in total operating revenue, mostly driven by net patient service revenue, with operating expenses managed to net growth of 0.5% over the comparable period the previous year. With May and June included, FY24 operating revenue increased by 0.7%, and operating expenses were managed to an increase of only 0.4%. Ascension finished the fiscal year with a net loss of almost $1.1 billion, although that does represent a $1.6 billion turnaround from the previous year.
Ascension was able to secure advanced payments from commercial payers and the Centers for Medicare and Medicaid Services (CMS) to mitigate the impact of the ransomware attack on its revenue cycle. Ascension was also affected by the February 2024 ransomware attack on Change Healthcare. Ascension has since taken steps to diversify its claim clearinghouse to protect against similar attacks in the future.
July 26, 2024: Ascension Ransomware Reported to OCR as a Data Breach
Ascension has reported its May 8, 2024 ransomware attack to the HHS’ Office for Civil Rights as a data breach; however, it has not yet been determined how many individuals have been affected.
The HIPAA Breach Notification Rule requires data breaches to be reported to OCR within 60 days of discovery. If by day 60, the number of affected individuals has not been determined, a regulated entity should submit a breach report to OCR and provide an estimate of how many individuals have been affected. When the investigation has been completed and the final total is known, an additional report should be submitted to OCR. Ascension has reported the breach to OCR with an interim figure of 500 affected individuals.
500 and 501 are commonly used placeholders to meet the compliance requirements of the HIPAA Breach Notification Rule when the actual number of individuals has yet to be determined. The 500 figure is the trigger for OCR to add a data breach to its data breach portal. Any breaches under 500 records must also be reported to OCR, but they are not made public.
Ascension operates 140 hospitals in 18 states and the District of Columbia, so the Ascension data breach is likely to involve the protected health information of substantially more than 500 individuals. That said, it is not likely to have involved the data of all Ascension patients, as the Missouri-based health system said only 7 of its 25,000 servers were compromised in the ransomware attack. Ascension has confirmed that its July 3, 2024 notification to OCR was an interim report and OCR will be provided with an updated total when the investigation and data review have been concluded. That is not expected to be for several more weeks.
June 13, 2024: Ascension Ransomware Attack: Initial Access Vector and Data Theft Confirmed
Ascension has confirmed that files were exfiltrated from a small number of servers in its recent ransomware attack, and some of those files contained protected health information (PHI) and personally identifiable information (PII). The servers accessed by the attackers were used for daily and routine tasks, and only 7 of its 25,000 servers were compromised in the attack.
Ascension is currently unable to say what types of data were involved or the number of patients affected as the files must be carefully reviewed but said no evidence has been found to indicate electronic medical records and other clinical systems were compromised in the attack. The review process has commenced but there are a significant number of files to analyze and that process is likely to take some time.
Notification letters will be mailed to the affected individuals when that process has been completed, so Ascension patients will therefore have to wait to find out if their data has been exposed or stolen. Ascension appreciates that the situation is far from ideal, so to give patients peace of mind, Ascension has confirmed that credit monitoring and identity theft protection services will be provided free of charge, and those services are being made available to any patient who requests them, even it is later determined that their data was not impacted in the incident.
Those services can be requested by calling Ascension’s dedicated call center on 1-888-498-8066; however, Ascension is unable to answer questions from individuals about whether their data was involved until the data analysis has been completed.
“We encourage all Ascension patients and staff who are concerned to take advantage of these services,” explained Ascension. “We want to be clear, however, that this offer does not mean we have determined that any specific individual patient’s data has been compromised. Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals’ data.”
Ascension has also confirmed that the initial access vector was a malicious file that was unknowingly downloaded by one of its employees who believed it to be a legitimate file. Ascension is satisfied that there was no malicious intent and that it was an honest mistake. That file provided the attackers with a foothold in its network, allowing them to move laterally and use ransomware to encrypt files.
June 5, 2024: Ascension Starts Restoring EHR Access After Ransomware Attack
Ascension has provided an update on the progress made in recovering from its May 8, 2024, ransomware attack and has confirmed that EHR access has now been restored in five markets – Alabama, Austin, Florida, Tennessee, and Maryland. Ascension is working to restore EHR access for all remaining markets and anticipates access being restored by June 14, 2024. Ascension Rx retail, home delivery, and specialty pharmacies are now open, and providers can send prescriptions electronically.
Restoring EHR access has been one of the top priorities for Ascension and attention will soon focus on the remediation of additional systems. Ascension has warned that it is a complex process and that it will take some time for all systems to be restored and to determine the extent of any data breach.
May 30, 2024: Union Petitions Ascension to Take Steps to Improve Patient Safety Following Ransomware Attack
The cyberattack on Ascension has resulted in critical systems being offline for more than three weeks at some of its hospitals. While Ascension has tried and tested downtime procedures, clinicians are under an incredible strain due to the burden that comes with paper charting and some have voiced concerns that patients’ lives are being put in danger. Ascension has issued a statement confirming that staff are working around the clock to bring their systems back online safely; however, some hospitals still lack access to critical systems.
Nurses at those hospitals have complained that they have far too many patients to ensure patient safety, with some nurses saying they have had to take on 5-6 patients due to the burden of paper charting and are feeling overwhelmed. There are also fears of medical errors due to the lack of access to electronic medical records. Clinicians are relying on patients to disclose all the medications they are on. A failure to mention one of those medications could have serious health consequences. Nurses have complained that without access to computers they are unable to see the labs that have been ordered and the results, and there are serious concerns about mistakes being made entering patients’ vital medications. Lab work is often required to make quick decisions about patient care. Process that normally take 30 minutes to an hour to process are now taking several hours, delaying decisions that could have serious health consequences for patients.
At Ascension Providence Rochester Hospital in Michigan, a local union that represents nurses – Office and Professional Employees International Union Local 40 – distributed an online petition saying its members had deep concerns about the challenges created by the cyberattack and called for Ascension to take several remediating steps to reduce the strain on staff and ensure patient safety. The petition was signed by 116 nurses and other medical professionals at the 260-bed hospital.
“We, the members of Local 40 at Ascension Providence Rochester Hospital, are deeply concerned about the current challenges faced by our healthcare professionals due to the cyber hack incident and subsequent lack of access to patients’ electronic medical records,” said the petition. “In light of these circumstances, we demand that immediate safety precautions be implemented to ensure the well-being of both our members and the patients under our care.”
The union has called for Ascension to implement daily unit shift huddles to ensure effective communication, coordination, and information sharing among healthcare professionals regarding patient care, safety protocols, and any emerging issues. Regular training sessions are required for staff members to improve their knowledge and skills in navigating the challenges due to the cyberattack, and staff members should be provided with weekly reports on the progress being made in restoring EHRs and addressing staff members’ safety concerns. The union also wants elective surgeries and non-emergent admissions to be temporarily reduced to alleviate the strain on resources and to allow care for critical patients to be prioritized, as well as implementing a maximum 4:1 nurse-to-patient ratio.
“These safety precautions are essential to safeguarding the well-being of both our members and the patients we serve during this challenging time,” wrote the union in the petition. “It is imperative that the hospital administration takes immediate action to address these concerns and prioritize the safety and quality of care for all individuals involved.”
Ascension has confirmed that it is doing everything possible to bring systems back online and ensure patient safety. All Ascension facilities remain open, with disruption varying across its care sites, and patient safety is Ascension’s utmost priority. “Our dedicated doctors, nurses, and care teams are demonstrating incredible thoughtfulness and resilience as we utilize manual and paper-based systems during the ongoing disruption to normal systems,” explained Ascension in a May 24, 2024 update.
Ascension also explained that progress has been made and systems are starting to be restored. “Due to the hard work of our teams over the past several days, we have successfully restored EHR access in our first market and are actively progressing against a plan to restore access across our network on a rolling basis,” said Ascension. “Many of our vendors and partners have also started the process of reconnecting to our network and resuming services with Ascension, which should help to accelerate our overall recovery… We are hopeful that after the weekend, our patients and clinicians will see progress across our points of care.”
May 24, 2024: Downtime Procedures Still in Effect at Ascension Hospitals; First Lawsuits Filed
It has been more than 2 weeks since the ransomware attack on Ascension and its hospitals are still operating under emergency procedures, with staff working with pen and paper due to the inability to access electronic medical records. In a May 21, 2024, update, Ascension said it is working with industry-leading cybersecurity specialists to rebuild and restore its systems securely and that care has continued to be provided to patients; however, the outage caused by the ransomware attack is affecting patient care. Patients are still being prevented from accessing patient portals and some phone systems and other systems used for ordering tests, procedures, and medications remain offline.
Patients at Ascension hospitals are facing delays in getting test results and medical images due to the inability to transfer that information electronically, and there are serious concerns about patient safety due to the lack of access to electronic medical records and the delays in receiving test results, medical images, and medications. Ascension said patient safety is the main priority and it is working around the clock to restore systems and data; however, Ascension was unable to provide a timeline on when the restoration will be completed nor when there will be confirmation of the data stolen in the attack.
Ascension is providing state-by-state updates on the recovery and the services that have yet to be restored, with hospitals in many states still unable to fill prescriptions. Some hospitals still have their emergency rooms on divert and are sending ambulances to non-Ascension facilities.
The First Class Action Lawsuits Have Already Been Filed
Mandiant is assisting with the investigation of the ransomware attack, but the scale of any data breach – if there has indeed been a data breach – has yet to be announced. Given that this was a ransomware attack, and most ransomware groups exfiltrate data to use as leverage to get victims to pay a ransom, it is reasonable to assume that the attack involved data theft. Law firms and Ascension patients have been working on that assumption. The first class action lawsuits have already been filed and more can be expected in the coming days and weeks.
As far as the HIPAA Journal has been able to determine, the first lawsuit was filed on May 12, 2024, just 4 days after the ransomware attack occurred and a second lawsuit was filed the following day. The first lawsuit was filed in the U.S. District Court for the Northern District of Illinois by patient Katherine Negon and the second in the U.S. District Court for the Western District of Texas by Ana Marie Turner. The plaintiffs in both lawsuits are represented by the law offices of TJ Jesky.
The lawsuits allege that Ascension failed to implement reasonable and appropriate safeguards such as encryption to protect the data it holds. If data had been encrypted, the hackers would only have been able to steal encrypted data and there would not have been a data breach. While lawyers may claim that a successful cyberattack amounts to negligence, that is far from the case. Cyberattacks may result in unauthorized access to internal networks even with advanced security measures, and encryption of data at rest is not mandatory under HIPAA, provided other safeguards have been implemented that provide an equivalent level of protection.
The lawsuits allege that the plaintiffs’ protected health information is now in the hands of cybercriminals due to Ascension’s security failures. The lawsuits claim the plaintiffs and class members face an imminent and elevated risk of identity theft and fraud that will continue for many years to come, and that in addition to negligence, Ascension is guilty of negligence per se, breach of implied contract, unjust enrichment, and violated the Illinois Consumer Fraud and Deceptive Business Practices Act. The lawsuits seek momentary damages, injunctive and declaratory relief, and credit monitoring and identity theft protection services for each affected individual for at least the next five years.
May 13, 2024: Ascension Ransomware Attack: Affecting All 142 Hospitals
Ascension has provided an update on the cyberattack it detected on May 8, 2024, and has confirmed that it was a ransomware attack that affected operations at its 142 hospitals. No timeline has been provided on when recovery will be completed, but Ascension said progress is being made restoring systems and they will be brought back online when it is safe to do so. Several Ascension hospitals are on divert to ensure that patients can be immediately triaged, electronic medical records are unavailable, the phone system is offline, as are systems used to book tests, procedures, and medications, and elective procedures have been postponed.
Ascension is maintaining close contact with the Federal Bureau of Investigation (FBI), Health Information Sharing and Analysis Center (Health-ISAC), and the Cybersecurity and Infrastructure Security Agency (CISA), and is sharing information about the attack so that it can be shared with other healthcare organizations to help them prevent similar attacks. Ascension is providing updates on the recovery process on its website and has published a Q&A for patients.
Ascension has not publicly announced which ransomware group was behind the attack; however, CNN has spoken with four sources who said it was a Black Basta ransomware attack. Black Basta has stepped up attacks on the healthcare sector and 2 days after the attack, a joint cybersecurity advisory was issued by the Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) warning the healthcare and public healthcare sector about the group. The alert includes the latest indicators of compromise and updated details of the tactics, techniques, and procedures used by the group.
It is still too early to tell to what extent patient data was involved, but given the TTPs of the Black Basta group, data theft is highly likely. Ascension said that if data theft is confirmed, it will “notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”
May 9, 2024: Ascension Cyberattack is Disrupting Clinical Operations
Ascension, the largest nonprofit and Catholic health system in the United States, has announced it is investigating a suspected cyberattack that has disrupted clinical operations. Out of an abundance of caution, business associates have been advised to temporarily disconnect from its systems. The Google-owned cybersecurity firm Mandiant has been engaged to assist with the investigation and remediation efforts, and the appropriate authorities have been notified about the suspected cyberattack.
Ascension implemented its incident response protocols when unusual activity was detected in some of its systems and is currently assessing “the impact and duration of the disruption”. That process has involved taking certain systems offline. Policies and procedures have been developed and staff trained on providing care without access to IT systems and steps have been taken to reduce the impact on patients and ensure that patient care can be safely delivered. As a precautionary measure, some Ascension hospitals have put their emergency rooms on divert and are sending ambulances to alternative facilities.
Ascension has 142 hospitals, 40 senior living facilities, and more than 2,600 care sites in 19 states and the District of Columbia. It is currently unclear how many of those facilities have been affected, although there have been news reports indicating hospitals in multiple states are experiencing disruption, with employees at those hospitals reporting that charting, scheduling, and prescription writing systems have been affected.
Ascension said the unusual activity was detected within its systems on Wednesday, May 8, 2024, and provided a summary of its actions in response to the suspected cyberattack, but few details about the attack have been shared so far, such as whether the attack involved ransomware. At this early stage of the investigation, it is unclear to what extent, if any, patient data has been compromised. A spokesperson for Ascension said patients will be notified in due course if it is determined that sensitive patient data has been compromised and further information about the incident and impact will be released as the investigation progresses.
This post will be updated when further information becomes available.
