Overview of the Ascension Health Cyberattack
In a significant digital security breach, Ascension Health fell victim to a cyberattack on its network systems this week. The US’ largest network of Catholic hospitals has suffered interruptions to daily operations and patient care as a result, with patients checking themselves out to seek healthcare elsewhere.
Cybersecurity Event Detected
A statement posted to the St. Louis-based healthcare system’s website on May 9th notes, “We detected unusual activity on select technology network systems, which we now believe is due to a cybersecurity event.” It further states that an investigation was initiated and Ascension has activated remediation efforts and engaged the services of Mandiant, a cybersecurity firm and Google subsidiary, to assist with these.
Impact of the Cyberattack on Ascension Health
Systems were shut down early Wednesday, and healthcare professionals employed by Ascension Health anonymously told the Detroit Free Press that they had no access to patient records, lab or radiology results, or other systems, relating that “We have to write everything on paper. It’s like the 1980s or 1990s.” Patients who needed care urgently were being accepted by ambulance as of Wednesday evening, but those who could be diverted to other hospitals nearby were sent away as a result of the outage, and some who were already at Ascension hospitals left on their own.
Ascension Health Only the Latest Healthcare Organization Attacked
As CISA and other organizations have warned previously, healthcare
organizations, and Protected Health Information (PHI) and Personal Identifiable Information (PII), are increasingly tempting and lucrative targets for bad actors. The nature of the data stored by these systems, and the legal and civil liabilities of a data breach, are luring more and more ransomware gangs and other cyberattackers, as Ascension Health has discovered.
UnitedHealth and Change Healthcare
Last week, UnitedHealth Group CEO Andrew Witty testified before both the House Oversight and Investigations Subcommittee and the Senate Finance Committee about February’s Change Healthcare ransomware attack, finally confirming that the company had paid $22M in cryptocurrency to the BlackCat ransomware gang to regain access to its data. As a second group, known as RansomHub, has posted screenshots to the dark web of some of Change Healthcare’s data and threatened to sell four terabytes including PHI and PII, Witty was unable to say yet how many Americans may have been impacted, although he suggested that it may be “a third” of the nation. The American Hospital Association and other hospital groups have urged UHG in an open letter to provide breach notifications on behalf of medical practices and healthcare organzations.
Kaiser Permanente
Late in April, healthcare giant Kaiser Permanente acknowledged that it may have leaked patients’ personal information to third-party advertising vendors including Google, Microsoft, and X (formerly known as Twitter). Commonly-used tracking pixels or code were the culprit, and shared with the advertisers such information as member names and IP addresses, health encyclopedia search terms, and navigation through the healthcare organization’s website and mobile apps. This leak may affect up to over 13 million current and former members and patients.
Conclusion: Strengthening Cybersecurity After the Ascension Health Cyberattack
The Ascension Health cyberattack, combined with the Change Healthcare and Kaiser Permanente data debacles, should signal the immediate need for a sector-wide reassessment of cybersecurity strategies in healthcare. Protecting sensitive health information is not only a technical and financial requirement but a moral imperative to ensure patient trust and care continuity. Ascension Health’s experience provides valuable lessons in resilience, rapid response, and the importance of proactive security measures and managed IT services in today’s digital age.