Nearly 6 million people were impacted by ransomware attack on Ascension Health

Catholic healthcare giant Ascension Health has warned almost 6 million people that their information was accessed by hackers in a ransomware attack against the organization earlier this year. 

In breach notification documents filed with regulators, Ascension Health said the hackers obtained medical information, insurance data, government identification and payment information after breaking into the hospital network’s systems on May 8.

Everything from records of tests received to credit card information, Social Security numbers, and passports was stolen during the hack — which forced the organization’s 140 hospitals across 19 states to operate manually for weeks.

Victims are getting two years of free identity protection services and access to a $1,000,000 insurance reimbursement policy for fraud incidents.

In total, the healthcare nonprofit said 5,599,699 people were impacted by the breach. The revelation comes after the organization said in June that the hackers accessed just seven of its 25,000 servers during the ransomware attack and likely only stole some health information and personal data belonging to “certain individuals.”

The attack on Ascension proved to be one of the most consequential healthcare attacks in a year filled with headline-grabbing incidents. Dozens of hospitals run by the Catholic organization had to turn away ambulances, revert to paper records and cancel non-emergency appointments due to the technology outages.  

There were more than 3.1 million emergency room visits to Ascension hospitals last year across 19 states, the company said. According to the organization, it provided $2.2 billion in care for those living in poverty in 2023 and has more than 35,000 affiliated providers and 134,000 employees. It also runs 40 senior living facilities.

At the time of the cyberattack, CNN spoke to a nurse at an Ascension hospital in Michigan who said the cyberattack and technology outage ended up “putting patients’ lives in danger.”

Without access to the electronic medical records system, nurses and doctors could not pull up people’s medical history and getting imaging tests done for injuries like strokes or heart attacks was severely delayed.

Nurses had to use communal Google Docs to write down prescription doses and communicate with each other. 

“We are waiting four hours for head CT (scan) results on somebody having a stroke or a brain bleed,” one nurse at Detroit’s Ascension St. John Hospital told the Detroit Free Press. “We are just waiting. I don’t know why they haven’t at least paused the ambulances and accepting transfers because we physically … don’t have the capacity to care for them right now.”

Patients in Texas, Illinois, and Tennessee previously filed class action lawsuits against the organization for the leak of sensitive health information during the cyberattack. 

The Black Basta ransomware gang never publicly took credit for the attack but was implicated by several sources. It took the hospital network weeks to restore every facility’s access to the internet and records systems but wait times tripled during the recovery process in May.

There have been multiple healthcare data breaches this week, including ones impacting Boston University’s renowned Framingham Heart Study, the Center for Vein Restoration and telehealth platform ConnectOnCall.