Ascension, one of the largest healthcare systems in the United States, disclosed that a ransomware attack in May 2024 was initiated when an employee mistakenly downloaded a malicious file onto a company device.
The healthcare provider indicated that the employee likely believed they were downloading a legitimate file, classifying the incident as an "honest mistake."
The ransomware attack disrupted the MyChart electronic health records system, phone lines, and systems for ordering tests, procedures, and medications. In response, Ascension took some devices offline on May 8 to address what was initially termed a "cyber security event."
As a result, staff had to record procedures and medications manually since electronic patient records were inaccessible. Ascension also temporarily halted some non-urgent elective procedures, tests, and appointments and redirected emergency medical services to other facilities to avoid delays in patient care.
As of Wednesday, Ascension reported that certain services remain affected and that efforts to restore electronic health record systems, patient portals, and phone systems, as well as test, procedure, and medication ordering systems, are ongoing.
An ongoing investigation revealed that the attackers accessed and stole files from only seven of the thousands of servers on Ascension's network.
"Currently, we have evidence showing the attackers accessed files from a limited number of servers used by our staff for daily tasks. These servers account for seven out of approximately 25,000 across our network," an Ascension spokesperson stated. "While the investigation continues, we believe some of the compromised files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII), though the specific data affected varies."
However, Ascension has not found evidence that the attackers accessed data from its Electronic Health Records (EHR) and other clinical systems, which contain comprehensive patient records.
Though Ascension has not officially identified the responsible party, CNN reported that the Black Basta ransomware group is suspected to be behind the attack.
Shortly after the incident, the Health Information Sharing and Analysis Center (Health-ISAC) issued a warning that Black Basta had intensified its attacks on the healthcare sector.
Since its emergence in April 2022, Black Basta has targeted numerous high-profile organizations, including Rheinmetall, Capita, ABB, and the Toronto Public Library. Research by Elliptic and Corvus Insurance indicated that the group had extorted over $100 million from more than 90 victims as of November 2023.
As a major nonprofit health network, Ascension operates 140 hospitals and 40 senior care facilities. In 2023, it reported a total revenue of $28.3 billion. The organization employs 8,500 providers, with 35,000 affiliated providers and 134,000 associates across 19 states and the District of Columbia.