A major data breach at Ascension, one of the largest nonprofit health systems in the U.S., has exposed the personal and medical information of over 430,000 patients. The incident, which took place in December 2024, involved the inadvertent disclosure of patient data to a former business partner, from whom cybercriminals stole the information. The breach underscores broader cybersecurity vulnerabilities in the healthcare industry, which experienced a 26% increase in data breaches in 2024 compared to the previous year. Ascension has offered affected patients two years of free identity monitoring services as part of its response.
Tech expert Kurt ‘CyberGuy’ Knutsson reports that healthcare information of more than 430,000 Ascension patients was exposed in a data breach.
The state of cybersecurity in the healthcare industry worries me a lot. Healthcare organizations, whether nonprofit or for-profit, collect an enormous amount of data. And it’s not just phone numbers, addresses or emails but also sensitive information like medical records, insurance details and more. This data is extremely valuable, which makes it a prime target for hackers.
What’s worse is that many healthcare institutions often neglect cybersecurity and treat it as an afterthought. In 2024 alone, an industry tracker recorded 1,160 healthcare breaches that exposed 305 million patient records. This marked a 26% increase compared to the previous year.
Against this backdrop, Ascension, a Missouri-based Catholic health system with 142 hospitals and 142,000 employees, recently disclosed that a December 2024 breach exposed the personal and medical information of more than 430,000 patients.
According to Ascension’s breach notification letters, the compromise began on Dec. 5, 2024, when the network learned patient data “may have been involved in a potential security incident.” By Jan. 21, 2025, its investigators had determined that Ascension had “inadvertently disclosed information to a former business partner,” and that attackers likely stole data from that partner via a flaw in its software. In other words, patient records passed from Ascension into a third party’s system and were then siphoned off by cybercriminals.
The attackers gained a broad array of information. Impacted patients’ demographic and financial details, names, mailing addresses, phone numbers, email addresses, dates of birth, race, gender and Social Security numbers were exposed. Even more worryingly, the breach included clinical data from hospital stays, including physician names, admission and discharge dates, diagnosis and procedure codes, medical record numbers and insurance details. This is the very data that criminals can exploit for fraud or identity theft.
THINK YOU CAN DELETE YOUR OWN DATA? WHY IT’S HARDER THAN YOU THINK
Ascension reported the breach to regulators via an HHS filing on April 28, 2025, which shows 437,329 patients affected. By comparison, the company had earlier disclosed the impact in state filings. For example, 114,692 Texas patients and 96 Massachusetts residents were individually notified of exposure. In response, Ascension is offering those affected two years of free identity monitoring services (credit monitoring, fraud consultation and identity theft restoration).
For scale, Ascension is a major nonprofit health system, one of the largest in the U.S., operating 142 hospitals across North America. The company has not named the third-party partner, but its description fits a vendor whose secure file-transfer software was breached.
The timing aligns with a series of best password managers of 2025 here.
Attackers have frequently targeted Ascension, but the company does not seem to be learning its lesson. If it were a one-off incident, it might be understandable. But how do you fail to strengthen cybersecurity after experiencing a nationwide blackout? Rather than being an isolated event, this breach feels like part of a larger pattern. The industry relies on complex vendor networks and outdated IT systems, while cybercriminals continue to exploit emerging vulnerabilities.
Should hospitals be penalized for neglecting basic cybersecurity practices? Let us know by writing us at Cyberguy.com/Contact.
For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to Cyberguy.com/Newsletter.
Ask Kurt a question or let us know what stories you’d like us to cover.
Follow Kurt on his social channels:
Answers to the most-asked CyberGuy questions:
New from Kurt:
Copyright 2025 CyberGuy.com. All rights reserved.