Ascension has confirmed that sensitive personal and health information belonging to over 437,000 patients was exposed in a data breach linked to a former business partner.
The breach, first disclosed last month, is now known to have occurred following a security vulnerability in third-party software exploited in December 2024.
According to breach notification letters sent in April, the exposed data may include names, Social Security numbers (SSNs), contact information, dates of birth, medical diagnoses, insurance details, billing codes, and more.
The breach was traced back to December 5, 2024, when Ascension discovered that patient information might have been involved in a security incident. By January 21, 2025, it was confirmed that the data was inadvertently shared with a former business partner and likely stolen due to a vulnerability in software used by that partner.
While Ascension initially withheld the full scope of the breach, filings in late April revealed that 114,692 individuals in Texas and 96 in Massachusetts were affected. However, a recently published disclosure to the U.S. Department of Health & Human Services (HHS) confirmed the total impact at 437,329 individuals.
The incident appears to align with Clop ransomware gang attacks that exploited a zero-day flaw in Cleo’s secure file transfer software, though Ascension has not publicly confirmed the attackers’ identity. In response, the healthcare provider is offering two years of free identity monitoring services, including credit monitoring, fraud consultation, and identity theft restoration.
Ascension operates 142 hospitals and 40 senior care facilities across North America, with more than 142,000 employees and $28.3 billion in revenue reported in 2023. The recurring cyberattacks raise serious concerns about the healthcare giant’s data protection practices and its reliance on third-party vendors.
