Dive Brief:
- Personally identifiable and protected health information may have been exposed during a cyberattack at Ascension last month, the Catholic health system said Wednesday.
- Hackers were able to take files from seven servers used by Ascension for routine tasks. The provider said it has about 25,000 servers across its network.
- The attackers gained access to Ascension systems after a worker accidentally downloaded a malicious file, according to the health system.
Dive Insight:
Ascension said it’s still investigating, but has yet to find evidence that data was taken from its electronic health record or other clinical systems.
“Right now, we don’t know precisely what data was potentially affected and for which patients. In order to reach those conclusions, we need to conduct a full review of the files that may have been impacted and carefully analyze them,” a spokesperson said in a statement. “While we have started this process, it is a significant undertaking that will take time.”
Ascension, which operates 140 hospitals across 19 states and Washington, D.C., first detected unusual activity on some network systems early last month. It later confirmed it had been hit by ransomware, a type of malware that denies users access to their data until a ransom is paid.
Cyberattacks can have serious impacts on care delivery, shutting down important technologies, forcing hospitals to divert ambulances to nearby facilities and delaying scheduled procedures.
Ascension is still working to bring key systems back online. The provider has restored its electronic health record in some markets, and it plans to fully repair the EHR across its network by Friday.
The attack on the health system, one of the largest nonprofits in the U.S., comes as the healthcare sector faces a growing number of cyberattacks, including the high-profile incident at UnitedHealth’s claims processing unit Change Healthcare in February.
Data breaches after cyberattacks are affecting more people too, according to the HHS. Last year, hacking accounted for the majority of the large data breaches reported to the Office for Civil Rights, impacting 134 million individuals — a 141% increase from 2022.