Ascension cyberattack exposed medical data of 5.6M customers

A cyberattack on May 8 against healthcare giant Ascension resulted in the medical data of 5.6 million customers being exposed, according to a filing with the Maine attorney general’s office published on December 20.

WHY IT MATTERS
In June, the health system determined that an attacker gained access to its systems after an employee at one of its facilities inadvertently downloaded a malicious file, believing it to be legitimate.

The organization stated there was no indication that the incident was anything other than an honest mistake.

Months of investigation with third-party experts also led to Ascension determining sensitive data belonging to current and former patients, senior living residents, and employees was potentially exposed.

A December 19 announcement from Ascension noted the compromised information varies by individual and may include medical details such as medical record numbers, dates of service, lab test types and procedure codes.

Payment information, including credit card or bank account numbers, insurance details ranging from Medicaid and Medicare IDs to policy numbers and claims, government identification, including Social Security numbers, tax IDs, driver’s licenses or passports, and personal information such as addresses and dates of birth were potentially involved.

Ascension also confirmed its electronic health records and other core clinical systems, where full patient records are securely stored, were not accessed during the attack.

THE LARGER TREND

Among the other major healthcare breaches in 2024 include a cyberattack against Change Healthcare in February, which impacted 100 million people – the largest breach ever reported to federal regulators.

In April, Kaiser Permanente reported that 13.4 million people were affected by a data breach that exposed patient and plan members’ information.

Meanwhile, legislation is being proposed to bolster healthcare cybersecurity defense in the form of the Health Care Cybersecurity and Resiliency Act.

The bipartisan bill, introduced in November, would offer grants to healthcare organizations to help them shore up their ability to prevent and respond to cyberattacks.

Meanwhile, governance remains a concerning weak point in healthcare, even as cyberattacks are becoming more prominent and the risks of IoT medical devices are coming into sharper focus.

ON THE RECORD
Tim Rawlins, senior adviser and director for security at cybersecurity consultancy NCC Group, noted healthcare will always be an attractive target, given the sheer quantity of sensitive data organizations hold and the need to make information available to the medical staff as quickly as possible.

“Basic cyber security measures, individual log ins, multi-factor authentication, and patched, secure and monitored systems will go a long way to preventing these attacks,” he said.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: na********@***il.com
Twitter: @dropdeaded209