Ascension Healthcare Data Breach Exposes 430,000 Patient Records
In a recent cybersecurity incident, Ascension, a major U.S. Catholic health system operating 142 hospitals across North America, revealed that over 430,000 patient records were exposed in a data breach. The breach, which occurred in December 2024, was the result of a third-party vendor’s compromised secure file-transfer system. Ascension reported the breach to regulatory authorities in April 2025, revealing that 437,329 patients were impacted, with some states reporting individual notifications. Ascension is offering affected patients two years of free identity monitoring services as a response.
According to breach notification letters from Ascension, the compromise began on Dec. 5, 2024, when the network learned patient data may have been involved in a potential security incident. By Jan. 21, 2025, its investigators had determined that Ascension had inadvertently disclosed information to a former business partner, and that attackers likely stole data from that partner via a flaw in its software. In other words, patient records passed from Ascension into a third party’s system and were then siphoned off by cybercriminals.
The attackers gained access to a broad array of information, including demographic and financial details, names, mailing addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers. Even more worryingly, the breach included clinical data from hospital stays, including physician names, admission and discharge dates, diagnosis and procedure codes, medical record numbers, and insurance details. This is the very data that criminals can exploit for fraud or identity theft.
For context, Ascension is a major nonprofit health system and one of the largest in the U.S., operating 142 hospitals across North America. The company has not named the third-party partner, but its description fits a vendor whose secure file-transfer software was breached. The timing aligns with a series of recent Cl0p ransomware attacks, which have publicly claimed responsibility for exploiting a zero-day flaw in Cleo’s secure file-transfer products, stealing data from dozens of organizations worldwide.
Ascension’s patients and employees are no strangers to data breaches. In May 2024, a Black Basta ransomware attack compromised Ascension’s own network. That incident, traced back to a single employee opening a malicious file, resulted in the exfiltration of data belonging to nearly 5.6 million people. The fallout was severe, with hospitals losing access to digital records, forcing clinicians to record vitals, medications, and orders on paper. Elective procedures and some appointments were paused, and emergency services were redirected to unaffected facilities to avoid delays in care.
The healthcare industry, in general, is facing a growing threat from cyberattacks. In 2024 alone, an industry tracker recorded 1,160 healthcare breaches that exposed 305 million patient records, marking a 26% increase compared to the previous year. Tech expert Kurt “CyberGuy” Knutsson has raised concerns about the state of cybersecurity in the healthcare industry, noting that healthcare organizations often neglect cybersecurity, treating it as an afterthought. This negligence has left the sector vulnerable to cybercriminals who can exploit sensitive patient data for financial gain or identity theft.
In response to the breach, Ascension is offering affected patients two years of free identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration. However, this is a reactive measure, and there are ongoing calls for the industry to invest more resources in cybersecurity to prevent future breaches. As tech expert Kurt “Cyberguy” Knutsson has emphasized, the healthcare sector must take cybersecurity seriously to protect sensitive patient information from further exploitation.
For individuals concerned about the breach, several steps can be taken to protect themselves. These include being vigilant about phishing scams, using strong antivirus software, scrubbing personal data from the internet, safeguarding against identity theft, setting up fraud alerts, monitoring credit reports, changing passwords, and being wary of social engineering attacks. These steps, while not a complete solution, can help mitigate the risk of further damage from cyber threats.