Ascension believes that the cyberattacker who brought its systems down last month also stole a subset of its files that "may contain protected health information and personally identifiable information for certain individuals," a spokesperson wrote in an update posted Wednesday morning.
The system, which has nearly restored its electronic health record (EHR) systems organization-wide, said its investigation has yielded evidence that the attackers "were able to take files" from seven of the health systems' roughly 25,000 network servers.
Those file servers "are used by our associates primarily for daily and routine tasks," Ascension said. There is no evidence that full patient records or other data was taken from the organization's EHR or other clinical systems, it said.
"Right now, we don’t know precisely what data was potentially affected and for which patients," Ascension wrote. "In order to reach those conclusions, we need to conduct a full review of the files that may have been impacted and carefully analyze them."
In the meantime, the organization said it will be offering complimentary credit monitoring and identity theft protection services to any patients or other associates who request it.
Ascension's ongoing investigation has also revealed how the attacker was able to breach its defenses.
"An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate," the system wrote. "We have no reason to believe this was anything but an honest mistake."
The Catholic health system detected the breach in early May, triggering downtime measures across care sites that remained open but were largely working offline.
The nonprofit runs 140 hospitals and 40 senior living facilities across the country. It employs about 132,000 people and reported over $28 billion in revenue and billions in operating losses during its most recent fiscal year.
June 5, 8:00 a.m.
Ascension targets June 14 for system-wide EHR restoration after ransomware attack
Ascension Health has restored access to its electronic health records in its Florida, Alabama and Austin, Texas markets, and now believes it will have those systems restored nationwide by the end of next week.
In a Tuesday update, the nonprofit said its clinicians will be able to access and use patients' health records "as they did prior to the incident" once the EHR restoration is complete.
"While these are promising developments in our recovery efforts, our investigation into this incident remains ongoing, along with the remediation of additional systems," it wrote in the update. "This is a complex process, and it will still take time to complete."
Ascension said it has prioritized EHR access restoration over the course of the ransomware event, which began on May 8. All of the system's 140 hospitals and other locations are open and providing care, the organization said.
Additionally, Ascension said it has also reopened its retail, home delivery and specialty pharmacy sites.
"This means that healthcare providers are able to transmit prescriptions electronically and can send prescriptions to Ascension Rx pharmacies for their patients," the system wrote.
May 15, 10:00 a.m.
Ascension hit with patient lawsuits amid ongoing ransomware attack
Ascension Health is already facing the opening salvo of patient class action lawsuits just under a week after a ransomware attack took several systems offline across its hospitals.
One case, filed May 13 in a Texas district court, comes from a patient who received care at Ascension Seaton Hospital in Round Rock, Texas back in 2023. The other, filed May 14 in an Illinois district court, was brought by a longtime patient of Ascension Saint Mary in Chicago.
Both plaintiffs are represented by the same counsel, the Chicago-based Law Offices of T.J. Jesky, and have near-identical language.
They claim that the two plaintiffs and other patients of the large health system have been harmed due to the exposure of their private information during the incident, which was "foreseeable and preventable" if Ascension had implemented "adequate and reasonable cybersecurity procedures and protocols," according to the complaints.
Ascension has not yet publicly disclosed whether or not patients' sensitive information was compromised due to the cybersecurity incident. In multiple updates released over the past week, the 140-hospital nonprofit said it is still conducting its investigation of the breach.
"If we determine sensitive data was potentially exfiltrated or accessed as part of this incident, we will notify applicable individuals and parties in accordance with our obligations," Ascension wrote in an online FAQ current as of May 13.
Other online statements posted alongside the FAQ note that Ascension facilities across each state remain open and operational, but that the organization is still working to restore systems, such as MyChart. Ascension has also said that it's informed law enforcement and other government bodies of the incident, and early on hired a third-party cybersecurity firm, Mandiant, to assist.
The Catholic health system runs 140 hospitals and 40 senior living facilities across the country. It employs about 132,000 people and reported over $28 billion in revenue and billions in operating losses during its most recent fiscal year.
Fitch Ratings, in a commentary posted yesterday, said that the system's "very strong liquidity and leverage position provides significant rating cushion" for "one-off events, such as the current cyberattack." Since September, the group has rated Ascension as AA+/Negative Outlook.
May 13, 9:00 a.m.
Ascension confirms its cybersecurity incident is a ransomware attack
Ascension said it is communicating with several government organizations and for the first time referred to its cybersecurity event as a "ransomware incident" in an update posted this weekend.
The 140-hospital health system said that it is still working to investigate and restore its systems—a process that is "making progress" but "will take time to complete" across each of its care sites.
In the meantime, the system said it has notified law enforcement and other government bodies including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services, among others.
"We remain in close contact with the FBI and CISA, and we are sharing relevant threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC) so that our industry partners and peers can take steps to protect themselves from similar incidents," an Ascension spokesperson wrote in the May 11 online update.
Ascension said it first detected the breach on Wednesday and "immediately" moved to protect its systems. The organization said its clinical care has been somewhat disrupted with clinicians working on paper records and some emergency services diverted, but that its teams are trained to work under downtime procedures and its facilities remain open.
May 10, 10:00 a.m.
Ascension expects cybersecurity downtime procedures to last 'for some time'
Disabled systems, paused procedures and diverted ambulances are the state of affairs at Ascension as the organization continues investigating what it has now confirmed to be a cybersecurity incident
In a Thursday evening update, the 140-hospital health system said it is "working around the clock" but does not have a timeline for when its investigation and eventual restoration will be completed. It also did not share any information on whether its data had been stolen.
Ascension did disclose that its hospitals are currently working without their MyChart electronic health records system, "some" phone lines and other systems for ordering tests, procedures and medications.
"It is expected that we will be utilizing downtime procedures for some time," according to an online statement attributed to an Ascension spokesperson. "Patients should bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies."
Ascension also has several hospitals on diversion for emergency medical services and temporarily pausing "some" of its non-emergent elective procedures, tests and other appointments "out of an abundance of caution," per the update. The system said its teams are working with any patients whose care needs to be rescheduled.
"We understand the frustration this may cause and sincerely regret any inconvenience to our patients," the spokesperson said in the statement.
St. Louis-based Ascension runs 140 hospitals and 40 senior living facilities across 19 states. On Wednesday, when the incident was detected, the health system said it had hired a third-party cybersecurity firm to assist its investigation but encouraged its business partners to disconnect from its technology environment until further notice.
May 8, 4:30 p.m.
Ascension reports systems, clinical operations disrupted amid apparent 'cybersecurity event'
Ascension disclosed Wednesday that it has detected “unusual activity” on some of its technology networks that it believes “is due to a cybersecurity event.”
The large nonprofit system said it has “immediately” activated remediation processes and that clinical operations as well as “access to some systems” have been disrupted. The organization has kicked off an investigation and hired a third-party cybersecurity firm, Mandiant, to assist.
“Out of an abundance of caution we are recommending that business partners temporarily suspend the connection to the Ascension environment,” Ascension wrote in a release. “We will inform partners when it is appropriate to reconnect into our environment.”
St. Louis-based Ascension’s statement did not describe the scale of the interruptions nor whether any of its data have been compromised, writing that it is still assessing an ongoing situation. The system said it has also notified the “appropriate authorities” and will provide further updates as they are made available.
“Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines,” it wrote.
The Catholic health system runs 140 hospitals and 40 senior living facilities across the country. It employs about 132,000 people and reported over $28 billion in revenue and billions in operating losses during its most recent fiscal year.
Ascension is diverting ambulances with medically stable patients to other systems and still accepting those in need of lifesaving treatment, the Detroit Free Press reports. An Ascension Michigan doctor told the publication that practitioners have reverted to paper records, phone calls and other non-digital care procedures.
The system said its care teams “are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible.”