Non-profit healthcare system Ascension Health has notified the US Department of Health and Human Services that it was affected by a data breach affecting more than 437,000 patients. The hackers targeted a vulnerability in a third-party program that one of Ascension’s business partners used.
The intrusion occurred on December 5, 2024, when Ascension discovered that it may have “inadvertently disclosed information” to a former business partner. Since the breach happened in the partner’s systems, Ascension’s systems remain protected.
An incident report published by the company claims that the stolen information included names, addresses, phone numbers, email addresses, birthdays, race, gender, Social Security numbers (SSN), details of visits, physician names, admission and discharge dates, billing codes, medical record numbers, and insurance company names. The exact information disclosed varies from person to person.
For now, Ascension is providing two years of identity theft protection services to the affected individuals. These include credit monitoring, fraud consultation, and identity theft restoration. People notified of the breach are also advised to remain vigilant and review financial and personal information for signs of an anomaly.
The company didn’t share technical details of the attack, and the incident listing on the HHS website also doesn’t mention any information whatsoever, except the total number of affected individuals at 437,329. However, the timing of the breach aligns with the Cl0p ransomware gang’s attacks on Cleo’s file transfer platform. The attacks affected at least 66 companies, including banks and other healthcare institutions.
If the breach was indeed caused by Cl0p ransomware, the incident is the second one to affect Ascension in 2024. The company was targeted by the BlackBasta ransomware earlier in May 2024. This attack was significantly larger, affecting the patient data of over 5.6 million individuals.
In the News: Asus patches RCE flaw in DriverHub
