Ascension Healthcare Hacked via Third-party Business Partner: Patient Data Exposed

Ascension Healthcare, one of the largest private healthcare systems in the United States, has disclosed a significant data breach after sensitive patient information was compromised through a third-party business partner.

The incident, which affects care sites in Alabama, Michigan, Indiana, Tennessee, and Texas, has put thousands of patients on alert and reignited concerns over healthcare data security.

The breach was first detected on December 5, 2024, when Ascension learned that patient data may have been involved in a security incident.

An immediate investigation was launched, and by January 21, 2025, it was determined that Ascension had inadvertently disclosed information to a former business partner.

Some of this data was likely stolen from the partner due to a vulnerability in third-party software used by the partner-not within Ascension’s own systems or electronic health records.

Scope of Exposed Data

The compromised information is extensive and varies by individual. It includes:

• Names, addresses, phone numbers, and email addresses
• Dates of birth, race, gender, and Social Security numbers
• Clinical information related to inpatient visits, such as physician names, admission and discharge dates, diagnosis and billing codes, medical record numbers, and insurance company names

While the exact number of affected patients has not been disclosed, at least 96 residents of Massachusetts had their medical records and Social Security numbers exposed.

Ascension has moved quickly to address the fallout. The healthcare system is offering two years of complimentary identity monitoring and credit protection services through Kroll to those impacted.

Services include credit monitoring, fraud consultation, and identity theft restoration. Affected individuals are encouraged to remain vigilant, monitor their credit reports, and review account statements for suspicious activity.

Ascension emphasized that its own networks and electronic health records were not breached. The organization has reviewed its data handling processes and is implementing enhanced safeguards to prevent similar incidents in the future.

Officials have also provided resources and guidance to help patients protect themselves against identity theft and fraud.

This breach follows a series of high-profile cyberattacks on healthcare providers, highlighting the persistent risks posed by third-party vendors and software vulnerabilities. As the healthcare sector continues to digitize, robust third-party risk management remains a critical challenge.

Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.