Ascension hit with patient lawsuits amid ongoing ransomware attack

May 15, 10:00 a.m.

Ascension Health is already facing the opening salvo of patient class action lawsuits just under a week after a ransomware attack took several systems offline across its hospitals. 

One case, filed May 13 in a Texas district court, comes from a patient who received care at Ascension Seaton Hospital in Round Rock, Texas back in 2023. The other, filed May 14 in an Illinois district court, was brought by a longtime patient of Ascension Saint Mary in Chicago. 

Both plaintiffs are represented by the same counsel, the Chicago-based Law Offices of T.J. Jesky, and have near-identical language. 

They claim that the two plaintiffs and other patients of the large health system have been harmed due to the exposure of their private information during the incident, which was "foreseeable and preventable" if Ascension had implemented "adequate and reasonable cybersecurity procedures and protocols," according to the complaints. 

Ascension has not yet publicly disclosed whether or not patients' sensitive information was compromised due to the cybersecurity incident. In multiple updates released over the past week, the 140-hospital nonprofit said it is still conducting its investigation of the breach.

"If we determine sensitive data was potentially exfiltrated or accessed as part of this incident, we will notify applicable individuals and parties in accordance with our obligations," Ascension wrote in an online FAQ current as of May 13. 

Other online statements posted alongside the FAQ note that Ascension facilities across each state remain open and operational, but that the organization is still working to restore systems, such as MyChart. Ascension has also said that it's informed law enforcement and other government bodies of the incident, and early on hired a third-party cybersecurity firm, Mandiant, to assist. 

The Catholic health system runs 140 hospitals and 40 senior living facilities across the country. It employs about 132,000 people and reported over $28 billion in revenue and billions in operating losses during its most recent fiscal year. 

Fitch Ratings, in a commentary posted yesterday, said that the system's "very strong liquidity and leverage position provides significant rating cushion" for "one-off events, such as the current cyberattack." Since September, the group has rated Ascension as AA+/Negative Outlook.

May 13, 9:00 a.m.

Ascension confirms its cybersecurity incident is a ransomware attack

Ascension said it is communicating with several government organizations and for the first time referred to its cybersecurity event as a "ransomware incident" in an update posted this weekend. 

The 140-hospital health system said that it is still working to investigate and restore its systems—a process that is "making progress" but "will take time to complete" across each of its care sites. 

In the meantime, the system said it has notified law enforcement and other government bodies including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services, among others. 

"We remain in close contact with the FBI and CISA, and we are sharing relevant threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC) so that our industry partners and peers can take steps to protect themselves from similar incidents," an Ascension spokesperson wrote in the May 11 online update. 

Ascension said it first detected the breach on Wednesday and "immediately" moved to protect its systems. The organization said its clinical care has been somewhat disrupted with clinicians working on paper records and some emergency services diverted, but that its teams are trained to work under downtime procedures and its facilities remain open. 

May 10, 10:00 a.m.

Ascension expects cybersecurity downtime procedures to last 'for some time'

Disabled systems, paused procedures and diverted ambulances are the state of affairs at Ascension as the organization continues investigating what it has now confirmed to be a cybersecurity incident

In a Thursday evening update, the 140-hospital health system said it is "working around the clock" but does not have a timeline for when its investigation and eventual restoration will be completed. It also did not share any information on whether its data had been stolen. 

Ascension did disclose that its hospitals are currently working without their MyChart electronic health records system, "some" phone lines and other systems for ordering tests, procedures and medications. 

"It is expected that we will be utilizing downtime procedures for some time," according to an online statement attributed to an Ascension spokesperson. "Patients should bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies." 

Ascension also has several hospitals on diversion for emergency medical services and temporarily pausing "some" of its non-emergent elective procedures, tests and other appointments "out of an abundance of caution," per the update. The system said its teams are working with any patients whose care needs to be rescheduled. 

"We understand the frustration this may cause and sincerely regret any inconvenience to our patients," the spokesperson said in the statement.

St. Louis-based Ascension runs 140 hospitals and 40 senior living facilities across 19 states. On Wednesday, when the incident was detected, the health system said it had hired a third-party cybersecurity firm to assist its investigation but encouraged its business partners to disconnect from its technology environment until further notice. 

May 8, 4:30 p.m.

Ascension reports systems, clinical operations disrupted amid apparent 'cybersecurity event'

Ascension disclosed Wednesday that it has detected “unusual activity” on some of its technology networks that it believes “is due to a cybersecurity event.”

The large nonprofit system said it has “immediately” activated remediation processes and that clinical operations as well as “access to some systems” have been disrupted. The organization has kicked off an investigation and hired a third-party cybersecurity firm, Mandiant, to assist.

“Out of an abundance of caution we are recommending that business partners temporarily suspend the connection to the Ascension environment,” Ascension wrote in a release. “We will inform partners when it is appropriate to reconnect into our environment.”

St. Louis-based Ascension’s statement did not describe the scale of the interruptions nor whether any of its data have been compromised, writing that it is still assessing an ongoing situation. The system said it has also notified the “appropriate authorities” and will provide further updates as they are made available.

“Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines,” it wrote.

The Catholic health system runs 140 hospitals and 40 senior living facilities across the country. It employs about 132,000 people and reported over $28 billion in revenue and billions in operating losses during its most recent fiscal year.

Ascension is diverting ambulances with medically stable patients to other systems and still accepting those in need of lifesaving treatment, the Detroit Free Press reports. An Ascension Michigan doctor told the publication that practitioners have reverted to paper records, phone calls and other non-digital care procedures. 

The system said its care teams “are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible.”