Ascension data breach affects over 435,000 people

St. Louis, Missouri-headquartered Ascension Healthcare said that one of its service providers experienced a significant data security incident last year, compromising the sensitive personal information of over 435,000 individuals.

 

In a data security incident notice filed with the Offices of  Attorney Generals of Texas and Massachusetts, Ascension said that on December 5, it became aware of  a data security incident involving one of its former service providers that compromised the sensitive personal information of its patients.

 

The healthcare provider immediately launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner,” Ascension said.

 

The compromised data included names, addresses, phone numbers, email addresses, dates of birth, race, gender, Social Security numbers, clinical information related to inpatient visit, place of service, physician names, admission and discharge dates, diagnosis and billing codes, medical record numbers, and insurance company name.

 

Ascension, in its filing with the Texas state regulator, said that it had identified 114,692 Texas residents impacted by the incident. However, the incident was reported to the U.S. Department of Health and Human Services Office for Civil Rights where the healthcare provider said that at least 437,329 individuals were affected.

 

Ascension has advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered two years of complimentary identity protection and credit monitoring services through Kroll to all affected individuals.

 

In May last year, Ascension reported another data security incident that compromised the sensitive personal information of more than 5.5 million individuals. According to the healthcare provider’s data breach notice, a cybercriminal obtained a copy of certain files containing personal information of Ascension patients and employees.