On May 8, 2024, healthcare giant Ascension experienced a cyberattack that compromised the protected health information (PHI) of nearly 5.6 million individuals.
The breach originated from a malicious file inadvertently downloaded by an employee, granting attackers access to Ascension's systems. Investigations revealed that sensitive data, including medical information (e.g., medical record numbers, lab test types, and procedure codes), payment details (e.g., credit card and bank account numbers), and government identification (e.g., Social Security numbers), was exposed.
Ascension clarified that its secure electronic health records (EHR) systems were not accessed during the attack. The healthcare organizations began notifying affected individuals on December 19, with 658 Maine residents included among those impacted.
To mitigate harm, Ascension offers affected individuals 24 months of credit monitoring, identity theft recovery services, and $1,000,000 in insurance reimbursement.
Cybercriminals often use double-extortion tactics, exfiltrating data and threatening to release it publicly unless a ransom is paid.
While the Ascension EHRs remained secure, the exposed data spanned multiple categories, including financial and government identifiers, making it highly valuable on the black market.
The Ascension notification letter states, “Ascension has arranged to offer affected individuals 24 months of credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, and fully managed ID theft recovery services through IDX. These services become effective starting December 19, 2024.”
Healthcare organizations like Ascension must continually monitor and improve their cybersecurity.
Additionally, patients who have received the breach notification letter should monitor their accounts and immediately report suspicious activity.
A breach occurs when an unauthorized party gains access, uses or discloses protected health information (PHI) without permission. Breaches include hacking, losing a device containing PHI, or sharing information with unauthorized individuals.
See also: How to respond to a data breach
If individuals suspect their data has been compromised, they must monitor their accounts for suspicious activity and report any unauthorized transactions immediately.
No, under U.S. law, consumers are entitled to a free credit report annually from each of the three major credit reporting bureaus, Equifax, Experian, and TransUnion. So, placing a fraud alert or credit freeze does not incur any costs.