Ascension: Hackers stole some patient data but didn't breach electronic health record system

Ransomware hackers who attacked the nonprofit hospital network Ascension last month were not able to exfiltrate data from the electronic health record system, a pivotal finding given the size of the network, which sprawls across 180 hospitals and senior care facilities nationwide.

In an update on Wednesday, a spokesperson for the large Catholic healthcare organization said investigators believe the ransomware gang was only able to access seven of the organization’s 25,000 servers.

Ascension officials said they don’t know precisely what data was potentially affected and for which patients but noted that they “believe some of those files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals.” 

“At this point, we now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks,” an Ascension spokesperson said, explaining that the servers involved were not connected to the larger electronic health record system. 

“We have also identified how the attacker gained access to our systems. An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate. We have no reason to believe this was anything but an honest mistake.”

Ascension added that it will take more time to figure out how many people had data stolen and what specific information was accessed. While the investigation continues, Ascension is offering complimentary credit monitoring and identity theft protection services to any patient who asks for it. 

The healthcare organization did not say how long the free services will be available or how someone would know whether they should sign up for it. 

In 2023, the organization handled 16.4 million physician office and clinic visits as well as 3.1 million emergency room visits. 

On Tuesday, Ascension explained that access to the electronic health record system has been restored at hospitals in Florida, Alabama, Tennessee, Maryland, Oklahoma, Wisconsin, Illinois, Kansas as well as parts of Texas, Michigan and Indiana.

It expects all other facilities — including those in Arkansas, the District of Columbia, Louisiana and Missouri — to be restored by Friday. 

The restoration of the system addresses one of the most crippling aspects of the ransomware attack. For weeks, nurses have told local news outlets of the dangers they faced in trying to manage prescriptions, test results and more without access to patients’ records. 

Nurses and doctors were forced to use text message chains, Google Docs and other temporary tools to track pill distribution. The increased wait times for test results due to the technology outages endangered the lives of some patients, several nurses said over the last month. 

With the restoration, patients will now also have access to the portal where they can access their own records. But Ascension warned that any data from May 8 to the date of restoration may not be in patient records. 

The real-world harm caused by the attack reignited concerns raised by legislators about cybersecurity in the healthcare space. On Monday, the White House unveiled a plan with Microsoft and Google to offer more low-cost cybersecurity services to rural hospitals.

Anne Neuberger, deputy national security advisory for cyber and emerging technologies, said cyberattacks against the U.S. healthcare systems rose 130% in 2023.

“The rise in healthcare related cyber attacks is alarming because there is a human cost involved when the ability of hospital systems to provide care is severely disrupted,” Google Cloud’s Taylor Lehmann said. “We have seen hospital systems and physician groups go out of business, face bankruptcy and take months to recover from such damaging attacks.”