Around 5.6 million individuals have had their sensitive personal, medical and financial information breached as a result of a ransomware attack on US healthcare giant Ascension.
The company shared the extent of the data breach in a filing to the Office of the Maine Attorney General on December 19.
Following an investigation, Ascension discovered that the attackers obtained copies of files containing the personal information of its patients and employees.
This information included:
- Personal details, including names, dates of birth, addresses, Social Security numbers and drivers’ licenses’
- Medical information, including medical record numbers, dates of service, types of lab tests, or procedure codes
- Financial details, including credit card information or bank account number
The type of information accessed varied by individual, Ascension said.
However, there is currently no evidence that data was taken from its Electronic Health Records (EHR) and other clinical systems, where full patient records are stored.
The non-profit healthcare provider, which operates 140 hospitals across the US, is in the process of emailing data breach notification letters to the impacted individuals, which will be delivered over the next two to three weeks.
Ascension has also arranged to offer impacted individuals 24 months of credit and CyberScan monitoring, a $1m insurance reimbursement policy and fully managed ID theft recovery services through IDX.
Black Basta Blamed for Ascension Attack
Notorious ransomware-as-a-service (RaaS) group Black Basta was reportedly behind the May 2024 attack, although this has not been confirmed.
The incident caused ambulances to be diverted and patient appointments being postponed.
Read now: Healthcare Hit by a Fifth of Ransomware Incidents
Ascension said that upon detecting unauthorized activity on its systems on May 8, it initiated an investigation with third-party cybersecurity experts.
The firm also reported the incident to law enforcement and government partners, including the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).
In June, Ascension revealed that the ransomware attackers gained access to its systems after an employee accidently downloaded a malicious file, suggesting the root case of the incident was a phishing attack.
