We previously reported that Ascension Health detected a cyber-attack on May 8, 2024, that affected clinical operations in Ascension facilities in six states.

On December 20, 2024, Ascension notified the Maine Attorney General in a regulatory filing that the attack compromised the personal information of 5.6 million individuals. According to Ascension, the incident occurred on February 29, 2024, but was detected on May 8, 2024. The data compromised included individuals’ names, insurance information, Social Security numbers, and payment details. The incident occurred when “an employee accidentally downloaded a malicious file disguised as legitimate…an honest mistake.”

Ascension is notifying the individuals and providing 24 months of credit monitoring, a $1,000,000 insurance reimbursement policy, and identity theft recovery services for those affected by the incident.

The newest health care entity to be hit by a cyberattack is Ascension Health, which operates 140 hospitals and 40 assisted living facilities in 19 states. Ascension confirmed that it has been hit by a cybersecurity attack and that the attack has disrupted its clinical operations. Ascension detected the attack on May 8, 2024, and is in the process of investigating and responding to it.

The attack has reportedly affected clinical operations in Florida, Indiana, Michigan, Oklahoma, Texas, and Wisconsin. Ascension recommends that its business partners contact its IT professionals to determine whether any connections to Ascension systems are at risk.

Unfortunately, threat actors continue to attack health care entities, and the pace does not appear to be abating. As a result, it is important for health care entities to prepare for an incident by implementing an incident response plan, frequent testing of the plan, testing contingent operations and disaster recovery plans, and conducting tabletop exercises to prepare for attacks.