Ascension Health Notifying 437K Patients About Data Breach at Former Business Partner
Ascension Health in St. Louis, Missouri, has started notifying certain patients about a security incident at one of its former business partners. Ascension learned on December 5, 2024, that the business partner had experienced a hacking incident. An investigation was launched, and it was determined on January 21, 2025, that Ascension had inadvertently disclosed patient data to the former business partner, and that data had likely been stolen in the hacking incident. Ascension confirmed that its own systems were unaffected.
A hacker was able to exploit a vulnerability in third-party software to gain access to data held by the former business partner. The data review confirmed that the information likely stolen in the incident included names, addresses, phone numbers, dates of birth, email addresses, race/gender, Social Security numbers, medical record numbers, insurance company names, and clinical information related to inpatient visits, which may have included, service locations, physicians’ names, discharge dates, and diagnosis and billing codes.
Ascension said it has reviewed its policies, procedures, and processes and will implement enhanced safeguards to prevent similar incidents in the future. The affected individuals had previously received services at Ascension facilities in Alabama, Michigan, Indiana, Tennessee, and Texas. Individual notifications are being mailed, and the affected individuals have been offered two years of complimentary credit monitoring and identity theft protection services. The HHS’ Office for Civil Rights (OCR) breach portal indicates 437,329 individuals were affected, and according to the notification sent to the Texas Attorney General, 114,692 of those individuals were Texas residents.
Ascension has also made three other announcements about third-party data breaches this year. In mid-April, Ascension confirmed it had been affected by a data breach at the law firm Scharnhorst Ast Kennard Griffin. In March, an announcement was made about a breach at Access Telecare, and in February, Ascension announced that it had been affected by a breach at Restorix Health. In all of these incidents, the breach involved patient data being exposed, but there was no breach of Ascension’s systems. Access Telecare reported the breach to OCR as involving the ePHI of 62,669 individuals, and Restorix Health notified OCR that the breach involved the ePHI of 38,553 individuals.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The Scharnhorst Ast Kennard Griffin incident was recently reported to OCR by the law firm as a breach of 639 individuals’ PHI; however, it is unclear if that total includes the data of all affected clients. Ascension explained that the breach occurred between July 17, 2024, and August 6, 2024, and the forensic investigation confirmed that hackers had viewed or stolen sensitive data. The information potentially compromised in the incident included some or all of the following: name, phone number, date of birth, date of death, Social Security number, driver’s license or state identification card, race, and medical treatment information such as dates of services, condition, history, procedure information, provider name, test or vaccine information, lab results, prescription information health insurance name and identification number, and other identifiers such as medical record number and patient account number. Ascension confirmed that Scharnhorst Ast Kennard Griffin is offering complimentary credit monitoring services to the affected individuals.
Ascension was also affected by the ransomware attack on Change Healthcare in February 2024, and in May 2024, it announced that 5.6 million patients had been affected by its own ransomware attack.
Carolina Anesthesiology Database Containing 21,344 Records Exposed Online
A database containing the personally identifiable and protected health information of 21,344 patients has been exposed online. The database was found by security researcher Jeremiah Fowler, who analyzed a sample of the data and confirmed it contained information such as names, addresses, phone numbers, health insurance information, emergency contact information, diagnoses, case summaries, medications, vital statistics, family and patient medical histories, antitheology summaries, and physicians’ notes. The database also contained software billing and compliance reports belonging to a medical software company.
Fowler notified the medical software company about the exposed database, which identified the database owner, and notified them. The database was secured the same day. It is unclear for how long the database was exposed and if it was accessed by any other individuals. Fowler also identified files related to Atrium Health and contacted them about the data breach. Atrium Health confirmed that an investigation had been initiated and, via databreaches.net, that the database belonged to Carolina Anesthesiology. Atrium Health said it immediately shut down its data feeds to Carolina Anesthesiology while the database was secured and the incident was investigated. Carolina Anesthesiology is located in High Point, North Carolina, and provides anesthesiology services to High Point Regional Health System and Atrium Health.
