US healthcare organization Ascension this week revealed that personally identifiable information (PII) and protected health information (PHI) of an unknown number of patients was stolen in a recent ransomware attack.
Disclosed on May 10, the incident caused disruptions to Ascension’s electronic health record (HER) system, MyChart, phone systems, and systems used to order medication, procedures, and tests, and forced the company to divert patients at some hospitals.
The healthcare organization launched an investigation into the attack, notified the relevant authorities, and began the restoration and remediation process. By June 11, the company had restored EHR access in 11 states, aiming to restore it across its entire network by June 14.
“However, please note that medical records and other information between May 8th and the date of local EHR restoration may not be accessible as we work to upload the information collected during the system downtime,” the healthcare giant said in an updated incident notice.
In a subsequent update, Ascension noted that its investigation into the attack has determined that the attackers exfiltrated files from seven servers of the roughly 25,000 running across its network.
“Though we are still investigating, we believe some of those files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, although the specific data may differ from individual to individual,” the company said.
According to Ascension, there is no evidence that data was stolen from EHR or other clinical systems, which store full patient records.
“Right now, we don’t know precisely what data was potentially affected and for which patients. In order to reach those conclusions, we need to conduct a full review of the files that may have been impacted and carefully analyze them. While we have started this process, it is a significant undertaking that will take time,” the healthcare provider said.
The company is providing free credit monitoring and identity theft protection services to all patients and associates who request it, even if the investigation will determine that they were not impacted by the incident.
“We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear, however, that this offer does not mean we have determined that any specific individual patient’s data has been compromised,” Ascension notes.
The company also revealed that the incident was the result of an individual at one of its facilities downloading a file they did not know was malicious.
A non-profit organization, Ascension runs one of the largest healthcare systems in the US, which includes hundreds of hospitals and 40 senior living facilities.
Related: MediSecure Data Breach Impacts Patient and Healthcare Provider Information
Related: 180k Impacted by Data Breach at Michigan Healthcare Organization
Related: CISA Releases Cybersecurity Guidance for Healthcare, Public Health Organizations
Related: Personal, Health Information of 1.2 Million Stolen in PurFoods Ransomware Attack
