Ascension Health is notifying roughly 5.6 million individuals that their personal, medical, and payment information was compromised in a ransomware attack in May 2024.
The incident occurred on May 8 and resulted in service disruptions that prompted hospitals around the country to revert to downtime procedures and divert emergency medical services.
The healthcare giant was able to restore most of the affected services by mid-June, when it revealed that the attackers had exfiltrated protected health information (PHI) and personally identifiable information (PII) from several of its servers.
In a December 19 incident update on its website, the healthcare giant revealed that it has concluded its investigation into the data breach.
“Since the May ransomware attack, we have been working with third-party experts to investigate what individuals’ data may have been involved in this incident. That review of the data is now complete, and starting today Ascension will begin the process of notifying individuals whose personal information was involved in this incident,” it said.
The potentially compromised information, the healthcare organization says, includes names, addresses, dates of birth, Social Security numbers, government ID numbers, driver’s license numbers, insurance information, medical information, tax identification numbers, and payment information.
“The particular type of information involved, however, varied by individual,” Ascension said in a written notification letter to the impacted individuals, a copy of which was filed with the Maine Attorney General’s Office.
Ascension told Maine AGO that 5,599,699 people were affected by the data breach and that both patients and employees were impacted.
“Notice letters will be mailed to those individuals directly and be delivered over the course of the next 2-3 weeks,” Ascension said.
The healthcare giant is providing the affected individuals with one year of free credit monitoring and identity protection services, which include a $1 million insurance reimbursement policy.
CNN learned from several sources in May that the Black Basta ransomware group was behind the attack, but neither Black Basta nor other cybercrime gang has taken credit for the attack, which could indicate that a ransom has been paid.
Ascension is a non-profit organization that runs one of the largest healthcare systems in the US, managing hundreds of hospitals and roughly 40 senior living facilities.
Related: Texas Tech University Data Breach Impacts 1.4 Million People
Related: Regional Care Data Breach Impacts 225,000 People
Related: Spotting the Charlatans: Red Flags for Enterprise Security Teams
