US healthcare giant Ascension says ransomware attack affected nearly six million customers

An abstract image of padlocks overlaying a digital background.

(Image credit: Shutterstock) (Image credit: Shutterstock)

Ascension was struck by ransomware attack in May 2024
It has now concluded its investigation into the attack
Sensitive data on almost 5.6 million people was stolen

Hackers that struck Ascension with ransomware managed to steal a whole treasure trove of sensitive customer information, with medical information, personally identifiable information, payment data, and more all compromised.

The US healthcare giant has now released new details about the ransomware attack, and filed a new form with the Office of the Maine Attorney General.

The cyberattack occurred on May 7 and 8, leading to significant disruptions in clinical operations. Employees were unable to access electronic health records and patient portals, and some facilities were even forced to divert ambulances, and elective care was paused in the aftermath.

Disrupting healthcare

In the filing, the firm said exactly 5,599,699 people were affected by the incident, and in the update, it added that the information crooks took included:

medical information (medical record number, date of service, types of lab tests, or procedure codes)
payment information (credit card information or bank account number)
insurance information (Medicaid/Medicare ID, policy number, or insurance claim)
government identification (Social Security number, tax identification number, driver’s license number, or passport number)
and other personal information (date of birth or address).

While the attack seems enormous, putting millions at risk of identity theft, wire fraud, phishing and social engineering attacks, Ascension is keeping a positive outlook.

“Although patient data was involved, importantly, there remains no evidence that data was taken from our Electronic Health Records (EHR) and other clinical systems, where our full patient records are securely stored," it said.

The company said it will now start notifying affected individuals, and expects the job to be done within three weeks.

At press time, no threat actors took responsibility for the attack, and we don’t know if Ascension paid any ransom in exchange for the data - although it did say the attack hurt its ability to recover from the previous financial year.

Ascension healthcare giant forced to take systems offline following cyberattack
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.