One of America’s largest nonprofit health systems, Ascension, which operates 142 hospitals across 19 states, has confirmed that a May 2024 ransomware attack exposed the personal data of 5.6 million individuals. The breach caused widespread system disruptions and significant financial losses, offering crucial lessons for healthcare providers and businesses about cybersecurity vulnerabilities and incident response.
Timeline and impact of the attack
The attack began on February 29, 2024, and has been attributed to the Black Basta ransomware group. However, the breach remained undetected until May 8, when Ascension discovered unauthorized activity in its systems. According to Proven Data’s experts, it’s not unusual that victims take days or even months before detecting a cyberattack, as most ransomware strains apply evasion detection while spreading across the network. The health system immediately took action when it discovered the infection, disconnected various systems and implemented downtime procedures.
The attack had an extensive impact, with hospitals having to divert ambulances, postpone elective procedures, and revert to paper-based operations. Medical staff faced significant challenges, including delayed access to test results and patient records. The financial impact was substantial, with Ascension reporting a $1.8 billion operating margin loss by the end of its fiscal year. This is the third-largest healthcare data breach of 2024, after Change Healthcare ($100 million) and Kaiser Foundation ($13.4 million).
Compromised information
According to Ascension’s disclosure, the stolen data may include:
- Medical information, including medical record numbers, service dates, lab tests, procedure codes
- Payment details such as credit card information, bank account numbers
- Insurance information, Medicaid/Medicare IDs, policy numbers, insurance claims
- Government identification, from Social Security numbers and driver’s licenses to passport numbers
- Personal information like birth dates and addresses
Incident response and recovery
When Ascension discovered the ransomware attack, it implemented a multifaceted response plan focused on immediate containment and long-term protection. This approach demonstrates how large healthcare organizations handle major cybersecurity incidents while balancing patient care needs with data protection requirements.
Credit monitoring and identity protection servicesÂ
Ascension took an unusually comprehensive strategy to its credit monitoring offering. Unlike standard one-year packages commonly offered after data breaches, they provided a two-year protection plan through IDX. This extended coverage acknowledges the long-lasting impact of healthcare data breaches, as medical and personal information can remain valuable to criminals for years after a breach. The protection package includes CyberScan monitoring, which actively searches the dark web for exposed personal information, providing an additional layer of security beyond traditional credit monitoring.
Dedicated communication channelsÂ
The establishment of a dedicated helpline (866-724-3233) is a crucial component of Ascension’s response. Operating from 8:00 AM to 8:00 PM Monday through Friday, this helpline serves multiple purposes. It helps affected individuals enroll in protection services, answers questions about the breach, and provides guidance on additional security measures. This dedicated channel helps prevent the overload of regular hospital phone lines while ensuring affected individuals receive specialized support from staff trained in handling data breach concerns.
Enhanced security measuresÂ
In response to the attack, Ascension implemented several technical improvements. They diversified their claim clearinghouse to protect against future attacks, addressing a vulnerability exposed during the incident. The organization also enhanced its server monitoring capabilities, considering that only seven of its 25,000 servers were initially compromised, which led to widespread disruption.
Collaboration with authoritiesÂ
Ascension’s partnership with federal authorities and cybersecurity experts has been comprehensive. They engaged:
- The Federal Bureau of Investigation (FBI) for criminal investigation
- The Cybersecurity and Infrastructure Security Agency (CISA) for technical guidance
- The Health Information Sharing and Analysis Center (Health-ISAC) to share threat intelligence
- Mandiant, a Google-owned cybersecurity firm, for forensic investigation and recovery
- The Department of Health and Human Services Office for Civil Rights for regulatory compliance
This multi-agency collaboration helps ensure a thorough investigation while contributing to the broader healthcare sector’s cybersecurity knowledge base.
Notification processÂ
The notification process demonstrates the complexity of managing large-scale data breaches. Ascension’s approach includes:
- Detailed notification letters explaining the specific types of data that may have been compromised
- A phased mailing method to manage the large volume of notifications effectively
- Clear instructions for enrolling in protection services
Recovery challenges and ongoing impactÂ
Restoring services took longer than initially anticipated, with some systems requiring weeks to recover fully. This timeline reflects the careful approach needed when rebuilding compromised healthcare systems, where rushing could introduce new vulnerabilities or compromise patient safety.
Based on lessons learned, they’ve implemented new security protocols, enhanced staff training programs, and revised their incident response procedures. These changes represent the evolution of Ascension’s security posture from reactive to proactive, incorporating insights gained from the breach to prevent future incidents.
The Ascension incident joins other major healthcare sector breaches in 2024, including the Change Healthcare attack affecting 100 million records and the Kaiser Foundation Health Plan breach impacting 13.4 million records. These incidents collectively highlight the healthcare sector’s position as a prime target for cybercriminals and the critical need for enhanced security measures across the industry.
