Earlier this year, a disastrous cybersecurity breach at one of the largest health systems in the United States exposed the sensitive data of 5.6 million patients and employees.
The February 29, 2024 ransomware attack at Ascension Health, which operates approximately 140 hospitals, 40 elder care facilities, and 175,000 affiliated providers across the United States, was not discovered until May 8.
Ascension Health handles over 16 million patient visits per year and reported that the data involved varies and cannot be verified on an individual basis, but may include any of the following:
The organization is currently completing a data review and has identified the affected initiating the process of notifying 5,599,699 potentially affected patients and employees. Ascension will provide 24 months of credit and cyberscan monitoring, $1 million in insurance reimbursement coverage, and fully managed identity theft recovery services.
In its announcement, Ascension said, “Even though patient data was involved, ...... there remains no evidence that data was taken from electronic health records (EHRs) or other clinical systems where our complete patient records are securely stored.”
Ascension also stated that since the attack, it has successfully “restored access to all systems, clinical functions, and electronic health records affected by the incident.”
The initial information breach was caused by an employee accidentally downloading a malicious file. The ransomware group Black Basta is believed to be responsible for the cyberattack; Black Basta is ransomware-as-a-service, first identified in April 2022, and more than 500 organizations have been victims of its attacks.
After the Ascension attack, both the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have stated that security measures that hospitals and critical infrastructure organizations should follow include OS, software, and firmware updates as soon as they are released, require phishing-resistant MFAs for as many services as possible, and train users to recognize and report phishing attempts.
Comments