Health data of 5.6 million stolen in ransomware attack

​Ascension, one of the largest private U.S. healthcare systems, is notifying over 5.6 million patients and employees that their personal and health data was stolen in a May cyberattack linked to the Black Basta ransomware operation.

The health network reported a total revenue of $28.3 billion in 2023 and operates 140 hospitals and 40 senior care facilities across the United States.

The company now mails data breach notifications to 5,599,699 affected individuals via the United States Postal Service. Starting Thursday, December 19, Ascension also offers affected people 24 free months of IDX identity theft protection services, including CyberScan monitoring and a $1,000,000 insurance reimbursement policy.

Ascension says it notified law enforcement and government partners, such as CISA and the FBI, of the breach after detecting the May 8 attack.

“Upon discovering the unauthorized activity, we initiated an investigation with the assistance of leading cybersecurity experts,” Ascension states in the breach notification letters. “Through this investigation, we found evidence that on May 7 and 8, a cybercriminal obtained a copy of certain files containing personal information of our patients and associates.”

Since the breach, Ascension’s investigation has revealed that some of the stolen files contained patients’ and employees’ names and information across one or more of the following categories (the specific type of exposed information varies from one individual to another):

1. Medical information, such as medical record numbers, dates of service, types of lab tests, or procedure codes,
2. Payment information encompassing credit card information or bank account numbers,
3. Insurance information containing Medicaid/Medicare IDs, policy numbers, or insurance claims,
4. Government identification information, including Social Security numbers, tax identification numbers, driver’s license numbers, or passport numbers,
5. And other personal information, such as dates of birth or addresses.

After the incident, Ascension revealed that the ransomware breach was caused by an employee who downloaded a malicious file onto a company device. However, it believes this was likely an “honest mistake,” given that the employee thought they were downloading a legitimate file.

The ransomware attack impacted Ascension’s MyChart electronic health records system, phones, and systems for ordering tests, procedures, and medications. It also forced the healthcare giant to take some devices offline on May 8 to contain what it initially described as a “cyber security event.”

Following the incident, Ascension employees had to keep track of procedures and medications on paper, as they could no longer access patients’ electronic records. The company also had to pause some non-emergent elective procedures, tests, and appointments and divert emergency medical services to other healthcare units to prevent triage delays.

While the healthcare giant has yet to link the May attack to a ransomware operation, CNN linked the Black Basta cybercrime gang to the incident (the ransomware group has yet to add Ascension to its data leak site). Days after the breach, the Health Information Sharing and Analysis Center (Health-ISAC) also warned that Black Basta “has recently accelerated attacks against the healthcare sector.”

Since the operation emerged in April 2022, Black Basta has breached the networks of many high-profile victims, including German defense contractor Rheinmetall, outsourcing giant Capita, U.S. government contractor ABB, and the Toronto Public Library.

Joint research from Elliptic and Corvus Insurance shows that the ransomware gang collected over $100 million from more than 90 victims until November 2023.