Hospital
Ascension Health’s latest data breach exposes 437,000 patients’ data via a third...
Ascension, one of the largest private healthcare systems in the U.S., has disclosed a massive [data breach](https://www.secureblink.com/cyber-security-news/5-6-million-patient-data-exposed-in-black-basta-ransomware-breach) impacting **437,329 patients**, with sensitive personal and medical information stolen through a former business partner’s compromised systems. The breach, linked to a third-party software vulnerability, marks the second major cybersecurity incident for the healthcare giant in less than a year.
### **Details of Exposed Information**
According to breach notifications sent to affected patients in April 2025, hackers accessed:
- **Personal Data**: Names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers (SSNs).
- **Health Information**: Physician names, admission/discharge dates, diagnosis codes, medical record numbers, insurance details, and billing codes.
The stolen data could enable identity theft, insurance fraud, or targeted phishing attacks, underscoring risks for impacted individuals.
### **Timeline and Investigation**
- **December 5, 2024**: Ascension first learned of a “potential security incident” involving a former business partner.
- **January 21, 2025**: Investigation confirmed patient data was “inadvertently disclosed” to the partner and later stolen due to a vulnerability in their third-party file transfer software.
While Ascension did not name the partner, cybersecurity experts suspect links to **[Clop ransomware](https://www.secureblink.com/threat-research/clop-ransomware)’s widespread attacks** in late 2024, which exploited a zero-day flaw in Cleo file transfer tools.
### **State-Specific Impacts**
- **Texas**: 114,692 residents affected.
- **Massachusetts**: 96 individuals had medical records and SSNs exposed.
- **Nationwide**: The U.S. Department of Health & Human Services (HHS) filing revealed the total impacted individuals on April 28, 2025.
### **Ascension’s Response & Remediation**
The healthcare provider is offering impacted patients:
- **Two years of free identity monitoring** (credit monitoring, fraud consultation, identity theft restoration).
- A dedicated call center for breach-related inquiries.
In a statement, Ascension emphasized it _“immediately initiated an investigation”_ upon discovering the incident and has since _“strengthened third-party vendor oversight.”_
**Repeat Cybersecurity Challenges**
This breach follows a **May 2024 Black Basta ransomware attack** that exposed data of 5.6 million patients and employees. That incident, caused by an employee downloading a malicious file, forced Ascension hospitals to:
- Switch to paper records temporarily.
- Redirect emergency services and postpone non-urgent procedures.
The repeat breaches highlight systemic vulnerabilities in healthcare cybersecurity, particularly risks posed by third-party vendors.
**Broader Implications for Healthcare Security**
With Ascension operating **142 hospitals and 40 senior facilities** across North America and reporting **$28.3 billion in 2023 revenue**, the breach underscores critical challenges:
1. **Third-Party Risks**: Vendors remain a weak link in data protection.
2. **Ransomware Targeting**: Healthcare systems are prime targets due to sensitive data.
3. **Regulatory Scrutiny**: HHS is likely to intensify oversight under HIPAA regulations.
“Healthcare organizations must adopt zero-trust frameworks and rigorously audit vendors,” as advised.