Ascension Health Data Breach Exposes Patient Information for the Second Time in a Year

• Healthcare provider Ascension Health started sending notifications informing of a new security incident.
• This is the second time within 12 months that sensitive patient data has been exposed.
• The company blames a third-party partner’s software for the latest data breach that occurred in December.

Ascension Health, a prominent healthcare provider, has confirmed a data breach that exposed sensitive patient information for the second time within a year. The breach apparently occurred due to the exploitation of a flaw in a former business partner's third-party software.

The organization disclosed that the incident occurred on December 5, 2024, exploiting a vulnerability in the software used by a former business partner. Ascension concluded its internal investigation on January 21, 2025. 

The exposed data includes personal information such as names, addresses, phone numbers, and email addresses, as well as more sensitive details like Social Security numbers (SSNs), medical record numbers, clinical data, diagnoses, physician information, and insurance details. The amount and type of data affected vary among individuals.

Ascension has taken steps to mitigate the impact of the breach, offering affected individuals two years of credit monitoring via Kroll. The organization stated that it is improving internal systems and processes to prevent similar future incidents.

The notification sent to impacted individuals mentions the company has since reviewed its processes and is currently working to implement enhanced prevention measures.

While Ascension did not disclose specific details about the attack, the timeline and method suggest a possible link to the Cl0p ransomware gang's exploitation of Cleo's enterprise software vulnerabilities. 

Similar breaches, including incidents affecting major players like Hertz, have been attributed to attacks on Cleo systems, some of which allowed hackers to circumvent updates dating back to October 2024. However, no definitive link has been confirmed.

This marks yet another security failure for Ascension, following a ransomware attack in May 2024 by the Black Basta gang. The previous breach put the healthcare provider in the spotlight amid increased scrutiny of cybersecurity defenses in the healthcare industry.

The healthcare sector has faced mounting challenges in safeguarding sensitive data, with numerous high-profile breaches, including attacks targeting Calibrated Health and Change Healthcare, with the latter incurring a $2 billion financial impact.