5.6 Million Patients Affected by Ascension Ransomware Attack

December 20, 2024HIPAA News0

In May 2024, Ascension Health encountered a ransomware attack, but it took to identify the number of people impacted. The data breach report submitted to the HHS’ Office for Civil Rights (OCR) in July 2024 had the placeholder figure of 500 impacted persons. This is because the deadline for the HIPAA Breach Notification Rule reporting is almost up and the breached entity is not yet done with the investigation and data analysis.

The OCR data breach portal update on or about December 19, 2024 changed Ascension Health’s 500 estimate to 5,599,699 records. This number of breached records makes it the third biggest healthcare data breach in 2024. The first biggest is the Change Healthcare ransomware attack with 100 million breached records and the second biggest is the Kaiser Foundation Health Plan tracking technology data breach with 13.4 million breached records.

Ascension reported it was handling a cyberattack in May 2024, then released an announcement in June saying that patient records were stolen in the attack. At that time, the exact types of data and the number of individuals affected were still unknown. Ascension, together with third-party experts, had been reviewing the impacted information. In the December 19, 2024 update, Ascension announced that the data analysis was completed. It will begin mailing individual notification letters to the impacted persons. The process of notifying the affected individuals will likely require 2 to 3 weeks. Therefore, some affected individuals may receive the letters by January 2025.

Ascension is providing a new credit monitoring program which is valid for two years. This program is different from the one provided by Ascension in July 2024. That means those who subscribed to the credit monitoring services previously this year should register once more to make sure they get the full 2-year support.

The types of information affected differ from person to person. However, Ascension Health cannot identify the compromised information for every person. Therefore, any person getting a notification letter must suppose that all the types of data listed below might have been exposed and should implement proper safety measures, which include registering for the complimentary credit monitoring services as a top priority and checking their accounts, and explanation of benefits statements for indications of fraudulent transactions.

Data Possibly Compromised in the ransomware attack on Ascension:

  • Personal data – Name, birth date, address
  • Medical data – Medical record number, type(s) of laboratory tests, date(s) of service, procedure codes
  • Payment details – Credit card data, bank account number
  • Insurance details – policy number, Medicare/Medicaid ID, insurance claim
  • Government ID – Social Security number, tax ID number, passport number, driver’s license number

Ascension stated it did not find any proof that the ransomware group acquired access to electronic health records (EHR) or other medical systems, therefore complete medical histories were not stolen. Any individual worried about data theft can contact the Ascension helpline at (866) 724-3233 from 8:00 a.m. to 8:00 p.m. or learn more about the free credit monitoring services at https://response.idx.us/ascension/

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2024 ComplianceHome. All rights reserved.