Ascension, one of the largest private healthcare companies in the United States, has confirmed that the personal data of some 437,329 patients has been exposed following an attack by cybercriminals.
To the undoubted distress of Ascension’s client base, the details of hundreds of thousands have fallen into the hands of hackers, opening up opportunities for fraud and identity theft.
Breached information includes:
- names
- addresses
- phone numbers
- email addresses
- dates of birth
- races
- genders
- Social Security numbers
- physicians’ names
- admission and discharge dates
- diagnosis and billing codes
- medical visit details
In a notification letter sent to affected individuals, the healthcare giant explains that it had learnt in December 2024 that sensitive information related to patients may be in the hands of hackers, and that by January 21 2025 it had confirmed that it was dealing with a serious incident.
According to Ascension, it had “inadvertently disclosed” information to a former and unnamed business partner, which was “likely stolen” due to a vulnerability in third-party software used by the same business partner.
Industry observers have linked the Ascension patient data breach to the Clop ransomware group which in late 2024 was exploiting a zero-day vulnerability in software by enterprise software developer Cleo.
The security flaw in Cleo’s software allowed attackers to remotely execute code, stealing files from organisations that were using the vulnerable software.
Other organisations that are said to have been impacted by Cleo-related data breaches include Western Alliance Bank and Hertz.
Clop has listed hundreds of companies on its leak website in the last several months, with many of the breaches linked to Cleo.
Ascension says it is offering two years’ worth of free credit monitoring and identity restoration assistance to those who may be impacted by the data breach. But that is likely to be little comfort for those who may be waking up to the reality that their sensitive medical data is now circulating publicly.
Ascension, meanwhile, has learnt the hard way that your systems are only as secure as your least protected partner.
All healthcare businesses handling sensitive information would be wise to scrutinise the data privacy and security of not only their own systems, but also their supply chain.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Fortra.
