US healthcare giant Ascension says a ransomware attack has affected nearly six million customers
- Ascension was hit by a ransomware attack in May 2024
- The investigation into the attack has now been completed
- Sensitive data of almost 5.6 million people was stolen
Hackers who hit Ascension with ransomware managed to steal a trove of sensitive customer information, with medical information, personally identifiable information, payment details, and more all compromised.
The US healthcare giant has now released new details about the ransomware attack and filed a new form with the Maine Attorney General’s office.
The cyber attack occurred on May 7 and 8 and resulted in significant disruptions to clinical operations. Employees were unable to access electronic medical records and patient portals, and some facilities were even forced to divert ambulances, with elective care interrupted in the aftermath.
Disrupting healthcare
In the filing, the company said that exactly 5,599,699 people were affected by the incident, and in the update it added that the scammers collected the following information, among other things:
- medical information (medical record number, date of service, types of laboratory tests or procedure codes)
- payment details (credit card details or bank account number)
- insurance information (Medicaid/Medicare ID, policy number, or insurance claim)
- government identification (social security number, tax identification number, driver’s license number or passport number)
- and other personal information (date of birth or address).
While the attack seems massive and puts millions of people at risk of identity theft, wire fraud, phishing and social engineering attacks, Ascension remains optimistic.
“Although patient data was involved, importantly, there is no evidence that data originated from our electronic health records (EHR) and other clinical systems, where our entire patient records are securely stored,” the report said.
The company said it will now notify affected individuals and expects the job to be completed within three weeks.
At the time of writing, no threat actors have taken responsibility for the attack, and we don’t know if Ascension paid a ransom in exchange for the data – although it does say that the attack affected its ability to recover from the previous financial year harms.