Ascension notifies patients of data exposure linked to former business partner breach

St. Louis, Missouri-headquartered Ascension Healthcare has begun notifying certain patients of a data security incident involving one of its former business partners. On December 5, 2024, Ascension learned that the former business partner had experienced a hacking incident. An investigation was initiated and, on January 21, 2025, it was determined that Ascension had inadvertently disclosed patient data to the former business partner, and that the data had likely been accessed during the hacking event.

Ascension confirmed that its own internal systems were not affected. According to the investigation, a hacker exploited a vulnerability in third-party software to access data held by the former business partner.

The exposed information may have included names, addresses, phone numbers, dates of birth, email addresses, race or gender, Social Security numbers, medical record numbers, insurance company names, and clinical information related to inpatient visits. This clinical information may have included service locations, physicians’ names, discharge dates, and diagnosis and billing codes.

Ascension stated that it has reviewed its policies, procedures, and processes and will implement additional safeguards to help prevent similar incidents. The impacted individuals had previously received care at Ascension facilities in Alabama, Michigan, Indiana, Tennessee, and Texas.

Individual notifications are being sent by mail, and those affected have been offered two years of complimentary credit monitoring and identity theft protection services. The incident has not yet appeared on the U.S. Department of Health and Human Services’ Office for Civil Rights breach portal, so the total number of affected individuals remains unknown.