Ascension confirms ransomware attack, some hospitals still diverting patients

Ascension has confirmed that its cybersecurity incident is indeed a ransomware attack, and the attack is still affecting patient care.

One of America’s largest hospital systems, Ascension reported that a cyberattack was discovered May 8 and it was disrupting normal operations. The Catholic health system said Saturday that it experienced a ransomware attack, and the system said it will take time to restore all services. So far, Ascension says there isn’t a timetable on when services and systems will be restored.

“We continue to diligently investigate and address the recent ransomware incident, working closely with industry leading cybersecurity experts to assist in our investigation and restoration and recovery efforts,” Ascension said on its website.

• Read more: Change Healthcare cyberattack shows ‘no one is immune’

Ascension hospitals and facilities remain open and are caring for patients. However, the system says some areas of patient care are being affected.

Ascension has postponed some “non-emergent” surgeries, appointments and tests. Several Ascension hospitals are diverting patients due to the cyberattack, and the system says that step is being taken to appropriately handle emergency cases. “Safely caring for our patients remains our highest priority as we navigate this cybersecurity incident,” Ascension said in its statement.

Based in St. Louis, Ascension operates 140 hospitals and 40 senior centers in 19 states and Washington, D.C.

Ascension has said its electronic health records and patient portal, MyChart, are offline. The system is using paper records and processing orders for medication, diagnostic tests and filling out other records by hand.

The system said Monday afternoon that it is making some progress after working around the clock over the weekend.

"We are focused on restoring systems safely," Ascension said Monday. "We are making progress, however, it will take time to return to normal operations. As systems and services come back online, we will share those updates so that our patients and communities can plan accordingly."

Ascension says it has notified law enforcement, including the FBI, the Department of Health and Human Services and the Cybersecurity and Infrastructure Security Agency.

Ascension said the investigation into the attack is continuing and the health system hasn’t determined if private health information has been exposed.

“Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines,” Ascension said.

The healthcare industry has been bedeviled by ransomware attacks, in part because criminals know some organizations will pay the ransom, says​​ Cliff Steinhauer, director of information security and engagement at The National Cybersecurity Alliance. In an interview with Chief Healthcare Executive®, Steinhauer acknowledges it’s a difficult decision for hospital and healthcare organizations.

“The really, really troublesome thing is that paying the ransom encourages further activity by the threat actor groups,” Steinhauer says. “They know that they can get the money because they have found something so valuable, so critical, that the organization can't afford, or the public can't afford not to pay them.”

• Read more: Paying the ransom: Hospitals face hard choices in cyberattacks

Recent ransomware attacks underscore the importance of health organizations doing all they can to strengthen their cybersecurity posture.

“The most important impactful thing that anyone could do is to protect the data from being stolen in the first place, and to protect the information systems from being compromised in the first place,” Steinhauer says. “But the reality is, it's a very difficult thing to do 100% of the time.”

The Ascension attack is just the latest high-profile ransomware attack to hit the healthcare industry.

Change Healthcare, a subsidiary of UnitedHealth Group, continues to deal with the fallout of a ransomware attack that was first disclosed Feb. 21. Cybersecurity analysts and healthcare leaders say the Change Healthcare attack is the most damaging on record in the U.S. health sector. UnitedHealth Group CEO Andrew Witty told the Senate Finance Committee on May 1 that the company paid a ransom of $22 million in its cyberattack.

Hospitals, medical groups and doctors across the country have seen financial damage due to the attack, since Change handles so many business functions for providers nationwide.

CommonSpirit Health suffered a ransomware attack in 2022 that affected more than 100 of its facilities, the organization said. Ardent Health Services also said it experienced a ransomware attack last year, which delayed some elective procedures and forced hospitals to divert ambulances to other facilities.

Nearly half of all healthcare IT professionals say their organizations have suffered a ransomware attack, according to a 2023 survey released by the Ponemon Institute.

(This story was updated to include Ascension's latest progress report Monday, May 13.)