Ascension discloses new data breach after third-party hacking incident

​Ascension, one of the largest private healthcare systems in the United States, is notifying patients that their personal and health information was stolen in a December 2024 data theft attack, which affected a former business partner.

The health network operates 142 hospitals nationwide, has over 142,000 employees, and has reported a total revenue of $28.3 billion in 2023.

“On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. We immediately initiated an investigation to determine whether and how a security incident occurred,” Ascension says in data breach notifications sent to affected individuals.

“Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.”

Depending on the impacted patient, the attackers gained access to a combination of personal information, including name, address, phone number(s), email address, date of birth, race, gender, and Social Security numbers (SSNs).

They could also access personal health information related to inpatient visits, including the physician’s name, admission and discharge dates, diagnosis and billing codes, medical record number, and insurance company name.

Even though the breach notifications didn’t include any information regarding the total number of patients who had their data exposed in this breach, the healthcare system said in an April 28 filing with Massachusetts’ Office of the Attorney General that 96 MA residents were affected and had their medical records and SSNs exposed in the incident.

Ascension now offers two years of free identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration to those affected by this data breach.

While the company didn’t share any additional details regarding the breach impacting its former business partner, the timeline of the breach implies the attack was part of a series of Clop ransomware data theft attacks that exploited a zero-day flaw in Cleo secure file transfer software.

An Ascension spokesperson was not immediately available for comment when contacted by BleepingComputer earlier today.

Last year, Ascension notified nearly 5.6 million patients and employees that their personal and health data had been stolen in a May 2024 Black Basta ransomware attack. After the incident, Ascension revealed that the ransomware breach resulted from an employee who downloaded a malicious file onto a company device.