A simple mistake by an employee at Ascension Healthcare led to one of the largest data breaches in U.S. healthcare history, exposing sensitive information of 5.6 million patients across the country.
According to a filing with the Maine Attorney General's office on December 20, the breach occurred when an employee inadvertently downloaded a malicious file that appeared legitimate. The incident, which began on February 29, went undetected for over two months until May 8.
The breach exposed a wide range of personal data, including:
- Payment information
- Insurance details
- Social Security numbers
- Home addresses
- Dates of birth
While patient electronic health records were reportedly not directly compromised, the attack caused major disruptions across Ascension's network of 118 hospitals and hundreds of other facilities. Many locations were forced to postpone surgeries and appointments, with some having to divert ambulances. Several facilities lost access to electronic records for weeks following the breach.
The impact extended beyond patient care to the organization's bottom line, with Ascension reporting an 8-12 percent decrease in patient volume during May and June compared to 2023.
This incident ranks as the sixth-largest healthcare data breach ever reported and comes in the wake of the Change Healthcare cyberattack that affected over 100 million Americans earlier in 2024. In response, Ascension has announced plans to diversify its claims clearinghouses to strengthen its security posture.
The healthcare sector continues to be a prime target for cybercriminals, with ransomware attacks reaching new heights. Recent data shows the median ransom payment surged to $2.54 million last year, dramatically up from $62,500 the previous year.
Ascension maintains that the breach resulted from "an honest mistake" and is working to reschedule delayed procedures while implementing enhanced security measures to prevent future incidents.