Ascension Data Breach Exposes Information of Over 430,000 Patients

Ascension, one of the largest private healthcare systems in the United States, has confirmed that a recent data breach exposed the personal and medical information of 437,329 individuals.

The breach was linked to a former business partner and was disclosed in April. According to Ascension, the incident occurred in December 2024 and was caused by a security vulnerability in third-party software used by the former partner. The healthcare provider learned about the potential exposure on December 5, 2024, and completed its investigation on January 21, 2025.

Depending on the patient, the stolen data may include:

• Personal details such as name, address, phone number, email, date of birth, race, gender, and Social Security number

• Medical information including inpatient visit details, physician name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name

In filings with U.S. government agencies, Ascension revealed the scale of the breach, with 114,692 individuals affected in Texas and others in states like Massachusetts. The total number of impacted individuals was later confirmed as 437,329.

To help protect affected individuals, Ascension is offering two years of free identity monitoring services. These include credit monitoring, fraud consultation, and identity theft recovery support.

While Ascension has not confirmed the exact nature of the attack, the timing suggests it may be related to the Clop ransomware group's data theft campaign, which targeted a vulnerability in Cleo secure file transfer software.

This is not the first cyberattack the company has faced. In May 2024, Ascension notified 5.6 million patients and employees about another breach caused by the Black Basta ransomware group. That incident began when an employee downloaded a malicious file. It disrupted operations, forcing staff to use paper records and temporarily halting some medical services.

Ascension operates 142 hospitals and 40 senior care facilities across North America and employs over 142,000 people. In 2023, the organization reported $28.3 billion in revenue.

The company says it continues to strengthen its cybersecurity measures to prevent future breaches.