Ascension Data Breach: Patient Information ‘Likely Stolen’ After ‘Inadvertently’ Being Shared With Former Business Partner

Third-party software used by a former Ascension business partner was involved.

Cyberattack and internet crime, hacking and malware concepts. Digital binary code data numbers and secure lock icons on hacker' hands working with keyboard computer on dark blue tone background.

Ascension, a health system with 105 hospitals and operations in 16 states and Washington, D.C., said it discovered late last year that some patient information was “likely stolen” after the organization “inadvertently disclosed” that data to a former business partner, which suffered a breach through third-party software.

Ascension said in a news release that it learned of a potential security incident on December 5, 2024, when the organization said it immediately started an investigation. This past January, Ascension said it discovered that it “inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.”

In the release, Ascension said that sites of care in Alabama, Michigan, Indiana, Tennessee and Texas were affected.

“Importantly, this incident did not involve Ascension systems, networks, or electronic health records,” the organization said in the release.

The nonprofit Catholic health system said that it has “since reviewed our processes and are working to implement enhanced measures to prevent similar incidents from occurring in the future.”

Ascension said in a notification to the Massachusetts attorney general’s office that the personal information involved in this incident included demographic information, such patient names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers, “as well as clinical information related to an inpatient visit, such as place of service, physician name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name. The exact type of information involved depends on the individual.”

The organization said that it’s offering those affected by the breach two years of complimentary identity monitoring services.

An Ascension spokesman said he had no further information to provide beyond the release.

The disclosure of the data breach comes less than a year after Ascension suffered a catastrophic cyberattack that disrupted clinical operations, affecting 5.6 million people. That attack, blamed on the Russian-linked Black Basta group, shut down Ascension’s electronic health records system and forced it to divert emergency care at some of its hospitals.