More than 100,000 impacted by December data breach at Ascension Health

Ascension Health revealed another security incident this week, warning more than 100,000 people in multiple states that their information was likely accessed by hackers late last year.

The large non-profit healthcare network filed breach notices in Massachusetts and Texas this week saying the breach occurred on December 5.

“Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner,” the company said. 

The hackers who exploited the vulnerability likely stole demographic information as well as Social Security numbers, clinical information and data about specific visits that included physicians’ names, diagnoses, medical record numbers and insurance company names. 

Ascension did not say how many people were impacted but told officials in Texas that 114,692 people in the state were affected. 

Ascension did not respond to requests for comment about the total number of victims or whether the incident was connected to last year’s ransomware attack that affected hospitals in dozens of states. 

It took weeks for Ascension Health to recover from the ransomware attack and dozens of hospitals run by the Catholic organization had to turn away ambulances, revert to paper records and cancel non-emergency appointments due to the technology outages.

In total, the healthcare nonprofit said 5,599,699 people had information stolen during the ransomware attack. The ransomware gang behind the incident accessed just seven of its 25,000 servers during the ransomware attack and likely only stole some health information and personal data belonging to “certain individuals.”

Healthcare and insurance industry breaches continue to expose the sensitive information of millions. This week, employee administration company VeriSource Services said 4,052,972 people had information stolen when it was hacked in February 2024.