Concerns Over Healthcare Cybersecurity

The state of cybersecurity within the healthcare sector is genuinely alarming to me. Regardless of being a nonprofit or for-profit entity, healthcare organizations handle vast amounts of sensitive data. This includes personal details like phone numbers, addresses, emails, as well as critical information such as medical records and insurance data. This trove of information is incredibly valuable and hence, a prime target for cybercriminals.

Unfortunately, many healthcare providers neglect cybersecurity, often viewing it as an afterthought. In 2024, there were 1,160 reported healthcare breaches, compromising a staggering 305 million patient records—a 26% rise from the previous year.

In light of this, Ascension, a Catholic health system based in Missouri, which operates 142 hospitals and employs 142,000 people, disclosed that a breach in December 2024 exposed personal and medical details of over 430,000 patients.

Essentials to Know

As reported in the Ascension Violation Notification Letter, the breach was noted to have begun on December 5, 2024, when the network “may have been involved in a potential security incident.” By January 21, 2025, it was determined that Ascension had “incorrectly disclosed information to a previous business partner,” allowing an attacker to extract data through a software flaw. Essentially, patient records were transferred to a third-party system, which was then exploited by cybercriminals.

The compromised data spanned a wide array of personal information. Exposed details included patients’ names, demographics, financial information, social security numbers, and even clinical data such as names of attending doctors, diagnoses, and insurance information. This is the kind of sensitive data that, in the wrong hands, could facilitate identity theft and various fraudulent activities.

Timeline and Engagement

Ascension officially reported the violation on April 28, 2025, through a filing with the HHS, indicating that 437,329 patients were affected. The company had disclosed specific numbers to state regulators, noting that 114,692 patients from Texas and 96 from Massachusetts had been individually notified of their exposure. In a bid to address the fallout, Ascension is offering those impacted two years of complimentary identity monitoring services.

As one of the largest nonprofit healthcare organizations in the U.S., Ascension operates extensively across North America. While the breach relates to a vendor’s secure file transfer software, it’s noteworthy that Ascension does not refer to this vendor as a third-party partner.

Timing-wise, this incident aligns with a pattern of recent ransomware attacks, particularly those attributed to CL0P, which have exploited vulnerabilities in secure file transfer products. While Ascension itself wasn’t directly affected by ransomware, the stolen data could very well have been part of this wider cyberattack.

Plausibly, those familiar with Ascension aren’t new to data breaches. In May 2024, a previous incident involved a ransomware attack that compromised data for nearly 5.6 million individuals, triggered by a single employee opening a malicious file.

The aftermath was chaotic. The institution lost access to digital records, forcing medical staff to resort to manual record-keeping, which led to appointment cancellations and emergency services being diverted to avoid delays in patient care.

Attempts to get a comment from Ascension for this report were unsuccessful before the deadline.

Post-Breach Precautions

If you’re among those affected or just wary, there are several steps you can take to safeguard your information:

1) Stay alert for phishing scams and use robust antivirus software. Cybercriminals may leverage details like your email or phone number to send fraudulent messages appearing to come from valid healthcare providers or banks. Protect yourself with a strong antivirus program.

2) Remove personal data from the Internet. The more information available online, the easier it is for scammers to exploit. Consider using data deletion services, although nothing guarantees complete removal.

3) Consider identity theft protection. With sensitive data such as social security numbers compromised, the risk of identity theft is real. Investing in identity theft protection can provide vital surveillance and support in case of theft.

4) Set up fraud alerts. This will require creditors to verify your identity before issuing credit in your name, adding an extra layer of protection.

5) Regularly check your credit report. Keep an eye on your report and check for unauthorized accounts to prevent potential financial loss.

6) Change your passwords and employ a password manager. Updating your passwords and using unique, complex ones can diminish the risk of further breaches.

7) Be cautious of social engineering attacks. Fraudsters may use stolen personal information to manipulate you into revealing even more sensitive details. Always verify unsolicited calls or emails before sharing any personal info.

Final Thoughts

Ascension has faced multiple cyber threats, and it seems they have not fully embraced the lessons from past incidents. Is this a one-time occurrence? Perhaps, but it feels like part of a broader issue. The healthcare sector continues to rely on outdated systems and complex vendor networks, leaving itself vulnerable as cyber threats evolve.

Should there be repercussions for hospitals that disregard fundamental cybersecurity principles? That’s worth pondering.