Ascension Health, one of the largest healthcare systems in the United States, disclosed that a ransomware attack in May 2024 compromised the personal, medical, and payment information of nearly 5.6 million individuals.
The non-profit organization has since concluded its investigation and will begin notifying affected individuals. Both patients and employees of Ascension are concerned, with the Maine Attorney General’s Office noting that 5,599,699 individuals’ data was impacted.
The attack, which occurred on May 8, caused significant service disruptions across Ascension facilities. Hospitals were forced to revert to downtime procedures and divert emergency medical services.
Though the healthcare provider restored most services by mid-June, an investigation revealed that attackers had exfiltrated sensitive data from multiple servers, including protected health information (PHI) and personally identifiable information (PII).
According to Ascension, the compromised information varies by individual. Still, it may include names, addresses, dates of birth, Social Security numbers, government ID numbers, driver’s license numbers, medical insurance details, tax identification numbers, and payment information.
The recent update stated, “Since the May ransomware attack, we have been working with third-party experts to investigate what individuals’ data may have been involved in this incident. That review of the data is now complete, and starting today, Ascension will begin the process of notifying individuals whose personal information was involved in this incident.”
A copy of Ascension's written notification letter, submitted to the Maine AGO, details the scope of the breach. The organization plans to mail notification letters over two to three weeks.
Ascension offers affected individuals one year of complimentary credit monitoring and identity protection services. These services include a $1 million insurance reimbursement policy to mitigate the potential harm caused by the breach.
While CNN sources in May linked the attack to the Black Basta ransomware gang, no group has claimed responsibility for the breach, and Ascension has yet to confirm these reports. This lack of attribution has led to speculation that a ransom may have been paid, though no official statement addressed this matter.