5.6 million people affected by Ascension cyberattack
The system says it will provide affected patients with complimentary credit monitoring and identity protection services.
Photo: Weiquan Lin/Getty Images
Ascension has submitted a report to federal regulators showing that about 5.6 million people were affected by a ransomware attack on the nonprofit health system in May.
With the internal review of the data now complete, Ascension has begun the process of notifying people whose personal information was compromised during the incident. The system said it would provide affected patients with complimentary credit monitoring and identity protection services.
The compromised data in question varies from patient to patient, but may include medical information (such as medical record number, date of service, types of lab tests or procedure codes); payment information (such as credit card information or bank account number); insurance information (such as Medicaid/Medicare ID, policy number or insurance claim); government identification (such as Social Security number, tax identification number, driver's license number or passport number); and other personal information (such as date of birth or address).
Ascension maintained there's no evidence that clinical data was taken from its electronic health records and other clinical systems, where full patient records are stored.
Notice letters will be mailed to affected people directly and will be delivered over the course of the next two to three weeks.
WHAT'S THE IMPACT?
Ascension reported the cybersecurity attack in May after detecting unusual activity on select technology-network systems, and engaged Mandiant, a third-party expert, to assist in the investigation and remediation process.
The attack reportedly disrupted operations due to disconnection from the Epic EHR, and caused long emergency room wait times for some of the health system's 140 hospitals.
On May 12, Katherine Negron filed a class action complaint against Ascension in the U.S. District Court for the Northern District of Illinois. On May 13, Ana Marie Turner filed a similar lawsuit in federal court for the Western District of Texas. Both civil suits, filed by the Law Offices of T.J. Jesky in Chicago, seek monetary damages and demand a jury trial.
The Black Basta ransomware attack brought down the Ascension IT Systems, the complaints said, citing the FBI and Cybersecurity and Infrastructure Security Agency (CISA).
The lawsuits allege that Ascension failed to safeguard personal identifying information and protected health information. Because of the cyberattack, the plaintiffs were unable to effectively communicate with their healthcare providers through the MyChart patient portal or receive the requisite medical care and attention they needed, the complaint said.
The ransomware attack resulted in the unauthorized disclosure of PHI, including names, dates of birth, patient records and Social Security numbers, the lawsuits said.
Ascension confirmed that it has successfully restored its systems and is no longer on downtime procedures. Clinicians can access medical records electronically, much as they did prior to the incident, and appointment scheduling and prescription filling are functioning properly, the health system said.
THE LARGER TREND
The Ascension ransomware attacker was able to gain access to its systems by a worker who accidentally downloaded a malicious file believed to be legitimate, the health system said this summer.
"We have no reason to believe this was anything but an honest mistake," Ascension said in a cybersecurity event update. "Importantly, we have no evidence that data was taken from our Electronic Health Records (EHR) and other clinical systems, where our full patient records are securely stored."
Jeff Lagasse is editor of Healthcare Finance News.
Email: jlagasse@himss.org
Healthcare Finance News is a HIMSS Media publication.