Human error to blame in Ascension data breach that impacted 5.6 million patients

The big picture: The healthcare sector has become a lucrative target for cybercriminals, given the abundance of exploitable data and the often inadequate cybersecurity measures affecting many providers. Ascension, which operates 118 hospitals and hundreds of other facilities nationwide, was evidently unprepared for an attack of this magnitude, despite its size and resources.

In a filing with the Maine Attorney General’s office published on December 20, the American healthcare giant revealed that a staggering 5.6 million people had their personal and medical data exposed in a cyberattack earlier this year.

According to Ascension, the breach occurred on February 29 but went undetected until May 8. The attack potentially allowed hackers to access a wealth of sensitive information, including payment details, insurance information, Social Security numbers, addresses, and dates of birth. While Ascension stated that no evidence suggests patient electronic health records were directly compromised, the scale of the breach remains alarming.

As for how a massive healthcare system fell victim to such a severe hack, it came down to a classic error: an employee accidentally downloaded a malicious file disguised as legitimate. The healthcare provider admitted in June that it was “an honest mistake.”

The cyberattack forced Ascension to postpone surgeries and appointments at some facilities, while others had to turn away ambulances. Patients experienced lengthy wait times, and multiple facilities were without access to electronic records for weeks after the breach. The company now says it is working to reschedule delayed procedures and regain its footing.

The financial impact was significant as well. Ascension reported an 8-12 percent drop in patient volume during May and June compared to 2023, attributing the decline directly to the disruptions caused by the attack.

Compounding the situation, the breach followed closely on the heels of the unprecedented Change Healthcare cyberattack, which compromised the data of over 100 million Americans earlier in 2024. That incident, considered the most damaging healthcare hack in US history, also impacted Ascension.

In response to these two major breaches, Ascension says it has diversified its claims clearinghouses to “better protect itself from future incidents.”

The breach ranks as the sixth-largest healthcare data incident ever reported in terms of the number of people affected.

Ransomware attacks, in general, have been on the rise, with 2024 shaping up to be another record-breaking year. They are also becoming increasingly costly. A recent report indicates that the median ransom payment rose to $2.54 million last year – a staggering 41 times larger than the previous year’s median of $62,500.