Hospital Health System Hit by Massive, Preventable Cyber Attack

0 comments

A cyberattack on Ascension, one of the largest non-profit health systems in the U.S., compromised the personal health information of patients across multiple states starting in May 2024. According to official company statements and subsequent legal filings, the ransomware attack disrupted electronic health records and pharmacy systems, leading to several class-action lawsuits alleging the breach was preventable.

What happened during the Ascension cyber attack?

On May 22, 2024, Ascension announced it was experiencing a cybersecurity event that disrupted its electronic health record (EHR) systems and pharmacy operations. According to a statement from Ascension, the attack forced clinicians to revert to paper charting and manual medication dispensing at hospitals across 20 states. The system, which operates 140 hospitals, reported that the outage impacted patient scheduling and the ability to access medical histories in real-time.

What happened during the Ascension cyber attack?

Security researchers and reports from BleepingComputer attributed the attack to Black Basta, a known ransomware-as-a-service group. The attackers encrypted servers and exfiltrated sensitive data, using the threat of public release to pressure the organization. Ascension confirmed that the incident caused significant operational delays, though the company stated that patient care remained the primary priority during the recovery phase.

What patient data was compromised?

The breach involved the unauthorized access of Personal Health Information (PHI). According to notifications sent to affected individuals, the compromised data included:

What patient data was compromised?
  • Full names and dates of birth.
  • Medical record numbers.
  • Clinical information, including diagnoses and treatment histories.
  • Contact information and insurance details.

The U.S. Department of Health and Human Services (HHS) maintains a “Wall of Shame” portal where healthcare breaches affecting 500 or more individuals are logged. Ascension’s incident is among the largest reported in 2024 due to the sheer volume of patients served by the network.

Why are lawsuits calling the breach “preventable”?

Multiple class-action lawsuits filed in federal courts allege that Ascension failed to implement basic cybersecurity protocols. According to these legal complaints, the breach was “preventable” because the health system purportedly lacked adequate multi-factor authentication (MFA) and failed to patch known software vulnerabilities that Black Basta typically exploits.

Ascension Healthcare Ransomware Attack | Insights into the May 2024 Cyber Incident

The plaintiffs argue that Ascension’s negligence allowed attackers to gain entry into the network and move laterally across systems. These lawsuits seek damages for patients whose private medical data is now available on the dark web, citing a failure to meet the standards of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

How does the Ascension breach compare to the Change Healthcare attack?

While both occurred in 2024 and involved ransomware, the two attacks impacted the healthcare ecosystem differently. The following table contrasts the primary effects of each event:

How does the Ascension breach compare to the Change Healthcare attack?
Feature Ascension Attack Change Healthcare Attack
Primary Impact Direct patient care (EHRs, pharmacy) Financial infrastructure (claims, payments)
Scope Specific hospital network (140 sites) National clearinghouse (thousands of providers)
Immediate Risk Clinical errors due to paper charting Provider insolvency due to missing payments
Data Type Clinical PHI and patient demographics Billing, insurance, and PHI

What should patients do if their data was stolen?

Medical identity theft differs from financial identity theft because it can lead to incorrect medical records, which may affect future treatment. According to guidance from the Federal Trade Commission (FTC), patients should take these steps:

  • Request a Medical Record Audit: Review your “Explanation of Benefits” (EOB) statements from insurance providers to ensure no services were billed that you did not receive.
  • Freeze Credit Reports: Contact Equifax, Experian, and TransUnion to prevent attackers from opening new accounts using stolen demographics.
  • Monitor Health Accounts: Change passwords and enable MFA on all patient portals and insurance logins.
  • Use Provided Monitoring: If Ascension offers complimentary credit monitoring or identity restoration services, enroll immediately.

The Department of Health and Human Services continues to investigate the breach to determine if Ascension’s security measures met federal mandates. As more patient data is analyzed, the total number of affected individuals is expected to rise.

Related Posts

Leave a Comment