The cyberattack that Ascension suffered in May resulted in the exposure of 5.6 million patients’ personal and health information, according to a recent breach notification filed with the Maine Attorney General.
The health system is providing all impacted patients credit monitoring and identity protection services free of charge. The exposed data includes personal information such as credit card numbers, bank account numbers, Social Security numbers, driver’s license numbers and addresses, as well as medical information like procedure codes and types of lab tests.
There is no evidence that data was stolen from Acension’s EHR or other clinical systems, though, the health system said in a statement last week.
Reducing Clinical and Staff Burnout with AI Automation
As technology advances, AI-powered tools will increasingly reduce the administrative burdens on healthcare providers.
When Ascension — the fourth-largest health system in the country — was attacked earlier this year, there were major repercussions in terms of both patient safety and operational efficiency.
Hospitals across several states went offline, ambulances had to be diverted to hospitals whose systems were still functioning, and thousands of clinicians had to revert to paper recordkeeping. It took weeks for Ascension to fully restore its EHR and clinical operations, with things normalizing in mid-June.
The attack also had a major effect on the health system’s finances. Ascension’s financial results for the fourth-quarter fiscal year 2024 revealed a $1.8 billion operating margin loss, which was due in large part to the cyberattack.
Ransomware group Black Basta claimed responsibility for the attack. The cybergang — which is believed to be an offshoot of the notorious Russian cybercriminal group Conti — has impacted more than 500 organizations across the world, according to a May notice from the Cybersecurity and Infrastructure Security Agency (CISA).
Healthcare cyberattacks of this scale are likely to continue, according to Tim Rawlins, senior adviser and director of security at cybersecurity consultancy NCC Group.
“Healthcare will always be an attractive target, given the sheer quantity of sensitive data organizations hold and the need to make information available to the medical staff as quickly as possible. This case reflects that situation. It is also indicative of the situation we see in so many medical institutions — investing in keeping IT systems patched, secure and segmented will always take second place to a new medical device in most doctors’ minds,” he said in a statement sent to MedCity News.
Photo: JuSun, Getty Images