Ascension, a leading private healthcare provider in the United States, has revealed that a ransomware attack on its systems has potentially compromised patients’ protected health information (PHI) and personally identifiable information (PII). The cybersecurity incident in May 2024 forced the organization to divert ambulances, postpone patient appointments, and temporarily disable access to electronic health records (EHR) and other critical systems.
Accidental Download Leads to Breach
In an update on June 12, an Ascension spokesperson disclosed that the ransomware attack was initiated after an employee accidentally downloaded a malicious file masquerading as legitimate. The company emphasized that this was an “honest mistake” and that there was no evidence to suggest the employee acted with malicious intent. However, the accidental download allowed the ransomware attackers to gain unauthorized access to Ascension’s systems, resulting in widespread disruption and potential data breach.
According to Ascension, there is evidence indicating that the attackers were able to steal files from seven servers used by associates for daily and routine tasks. These files may contain sensitive PHI and PII data of patients. The specific data accessed and the individuals affected are still being investigated by third-party cybersecurity experts. Ascension has stated that it will notify affected individuals and regulatory bodies once the full extent of the data breach is determined.
Recovery Efforts and Precautionary Measures
As of June 11, Ascension reported successfully restoring EHR access for 14 locations, with plans to complete the restoration process by June 14. However, medical records and other information collected during the system downtime may not be immediately accessible. To address potential identity theft concerns, Ascension is offering complimentary credit monitoring and identity theft protection services to any patient or associate who requests it.
Wider Impact on Healthcare Services
The ransomware attack on Ascension is part of a broader trend of cybersecurity incidents targeting healthcare providers and their suppliers. In the UK, two leading London hospitals were forced to cancel operations and divert emergency patients in early June due to a cyber-attack on a critical pathology services supplier. The incident prompted an urgent appeal from the NHS for blood donors and volunteers to mitigate the immediate and significant impact on blood transfusions and test results.
As the investigation into the Ascension data breach continues, healthcare organizations and cybersecurity experts alike emphasize the importance of robust security measures, employee training, and incident response plans to safeguard sensitive patient data and ensure the continuity of critical medical services.
