Human error to blame in Ascension data breach that impacted 5.6 million patients

zohaibahd

Posts: 977   +19
Staff
The big picture: The healthcare sector has become a lucrative target for cybercriminals, given the abundance of exploitable data and the often inadequate cybersecurity measures affecting many providers. Ascension, which operates 118 hospitals and hundreds of other facilities nationwide, was evidently unprepared for an attack of this magnitude, despite its size and resources.

In a filing with the Maine Attorney General's office published on December 20, the American healthcare giant revealed that a staggering 5.6 million people had their personal and medical data exposed in a cyberattack earlier this year.

According to Ascension, the breach occurred on February 29 but went undetected until May 8. The attack potentially allowed hackers to access a wealth of sensitive information, including payment details, insurance information, Social Security numbers, addresses, and dates of birth. While Ascension stated that no evidence suggests patient electronic health records were directly compromised, the scale of the breach remains alarming.

As for how a massive healthcare system fell victim to such a severe hack, it came down to a classic error: an employee accidentally downloaded a malicious file disguised as legitimate. The healthcare provider admitted in June that it was "an honest mistake."

The cyberattack forced Ascension to postpone surgeries and appointments at some facilities, while others had to turn away ambulances. Patients experienced lengthy wait times, and multiple facilities were without access to electronic records for weeks after the breach. The company now says it is working to reschedule delayed procedures and regain its footing.

The financial impact was significant as well. Ascension reported an 8-12 percent drop in patient volume during May and June compared to 2023, attributing the decline directly to the disruptions caused by the attack.

Compounding the situation, the breach followed closely on the heels of the unprecedented Change Healthcare cyberattack, which compromised the data of over 100 million Americans earlier in 2024. That incident, considered the most damaging healthcare hack in US history, also impacted Ascension.

In response to these two major breaches, Ascension says it has diversified its claims clearinghouses to "better protect itself from future incidents."

The breach ranks as the sixth-largest healthcare data incident ever reported in terms of the number of people affected.

Ransomware attacks, in general, have been on the rise, with 2024 shaping up to be another record-breaking year. They are also becoming increasingly costly. A recent report indicates that the median ransom payment rose to $2.54 million last year – a staggering 41 times larger than the previous year's median of $62,500.

Permalink to story:

 
In, the mean time, the end user John or Jane Q public, must jump through company hoops to access their accounts, in the name of security, when this company, (and many other companies) should be focused on their own security! Hackers, are not usually after the end user.
 
Wow, they're really stepping up to bat for a random employee. They must have skipped on offering security training.
my wife worked for them. They didn't finish paying her contact out and ghosted her. In the mean time they hired an IT firm in India, let that sink in! Fired most if not all their IT department staff (Permanent and contracted) in the United States. No responsibility for a company outside the United States who controls all the patient data in India! So, they totally lack the security and HIPPA training that's required in the United States. Everything to save a buck to get a bonus.
 
I don't trust the health industry when it comes to health let alone data
I agree with you.
I had zero trust when the entire system I was exposed to when I was in need of care while facing certain death(so they said).
Thw lies were obvious and none of the "professionals" were consistent with each offering different lies.
However, this experience prompted me to uncover the truth, which came in the form of school...
classes for a job in healthcare were relatively less expensive than upgrading my current state of unemployment(at the time) forced upon me by my own deteriorating health. And I learned what all the answers to my questions were without, paying for lies!
My new career in ban(bodyareanetwork) IT has proved to be real and the industry goes back to 1954. Not hidden from students and industry professionals- but, not offered to the patients as transparency...
 
In, the mean time, the end user John or Jane Q public, must jump through company hoops to access their accounts, in the name of security, when this company, (and many other companies) should be focused on their own security! Hackers, are not usually after the end user.
what if the REAL HACKING was within your body?
 
Wow, they're really stepping up to bat for a random employee. They must have skipped on offering security training.
They outsourced their IT to India to save a buck! Worked for a large US Company, had Security training sessions and had "spoof" training emails all the time! If you clicked on the "spoof" emails you were sent back to training, a second time no internet privileges and a third time you were FIRED! 😲
 
Back