Ascension cyberattack’s impact: More than 5 million people affected

Earlier this year, the Ascension health system suffered a cyberattack that illustrated the disruption of breaches in hospitals.

Ascension discovered the breach in May and the system was forced to delay surgeries and appointments at some of its hospitals. Some hospitals had to divert ambulances, and patients faced longer waits at clinics. Some Ascension facilities were without access to their electronic health records for weeks.

The health system recently released information of the scope of the attack. In a notice sent to the state of Maine last week, Ascension said nearly 5.6 million individuals were affected by the breach. Maine requires organizations to notify the state about data breaches affecting residents in the state.

Ascension also informed the U.S. Department of Health & Human Services that about 5.6 million people were affected by the cyberattack. The Health Department requires organizations to send notification of all breaches involving at least 500 people.

In a message on its website, Ascension said the data exposed varies but could include medical information, credit card numbers, Social Security numbers, and insurance information. Ascension said while patient data was involved, “there remains no evidence that data was taken from our Electronic Health Records (EHR) and other clinical systems, where our full patient records are securely stored.”

Ascension said it plans to notify affected individuals by mail over the next few weeks, and the organization is offering credit monitoring to affected individuals for two years. Ascension is also offering theft recovery services to those who were affected.

The health system said in June that it appears the breach occurred when an Ascension employee inadvertently downloaded a malicious file that was thought to be authentic.

“We have no reason to believe this was anything but an honest mistake,” the system said in June.

In its notice to the state of Maine, Ascension said the breach occurred Feb. 29 and was discovered May 8. Cybersecurity experts say it’s not uncommon for organizations to learn about breaches weeks or even months after intruders have gained access to their systems.

Ascension said the cyberattack had a financial impact on the system, including a loss of volume due to delays at clinics. In a report last month discussing its financial performance in the first quarter of its fiscal year, Ascension noted that volumes were down 8% to 12% in May and June 2024, compared to the same months last year.

Noting surgeries that had to be postponed, Ascension said the system “has worked to reschedule procedural volumes that were delayed as a result of the cybersecurity attack.”

Ascension, and most hospital systems nationwide, experienced disruptions in early 2024 due to the Change Healthcare cyberattack, which cybersecurity officials have said is the most damaging healthcare cyberattack in U.S. history.

Change Healthcare said in October that the breach affected more than 100 million individuals, or about 1 in 3 Americans. Nearly all U.S. hospitals and medical groups experienced financial losses from the attack, because Change Healthcare offers so many services to the industry, including billing, claims and pharmacy services.

Ascension said in a financial statement that it has diversified its claims clearinghouses following the Change Healthcare attack “to better protect itself from future incidents.”

While the Ascension attack’s impact may be dwarfed by the Change Healthcare attack, only a small number of healthcare breaches have affected as many individuals. In terms of the number of people affected, the Ascension attack is the sixth largest in the U.S. Health Department’s database of breaches.

Ascension owns 118 hospitals and hundreds of healthcare locations, and the system has an ownership stake in 16 other hospitals.

Cybersecurity experts say hospitals continue to face attacks from ransomware groups, and those attacks are becoming more sophisticated.

During a recent cybersecurity forum held by Chief Healthcare Executive®, Lee Kim, senior principal of cybersecurity and privacy at HIMSS, suggested hospitals and health systems should be sharing more information about threats and potential risks they are seeing.

“We'll be on a sinking ship unless we band together, because all of us are vital to national security and the welfare of our people,” Kim said.

• Read more: Cybersecurity panel: How hospitals can protect their patients and their systems