More than 437,000 patients have been affected by a recent data breach involving Ascension Health, one of the largest non-profit healthcare systems in the U.S. The update, submitted to the Department of Health and Human Services (HHS), confirms that sensitive personal and health information was compromised in an incident traced back to a third-party vendor.
According to Ascension, the breach did not stem from its own systems but from a business partner that had been given access to patient data. The exposure occurred after hackers exploited a vulnerability in third-party software used by that partner. While Ascension has not named the vendor involved, the timeline and method of the breach suggest it may be linked to the Cl0p ransomware group’s attack on Cleo’s file transfer platform—a campaign that also impacted companies like Hertz and Western Alliance Bank.
What Information Was Exposed in the Ascension Health Data Breach
The breach affected Ascension Health facilities in Alabama, Indiana, Michigan, Tennessee, and Texas. The stolen data includes a wide range of personally identifiable information (PII), such as names, home addresses, phone numbers, email addresses, Social Security numbers, health insurance details, and patient diagnoses.
While Ascension first disclosed the incident two weeks ago, it did not initially confirm how many patients were affected. A recent update to the HHS breach portal now puts that number at 437,329 individuals.
To support those impacted, Ascension is offering 24 months of free credit monitoring and identity theft protection. The healthcare provider emphasized that it is working with cybersecurity experts and regulators to ensure proper notifications and mitigation steps are in place.
Despite the scale of this breach, it’s not the largest cybersecurity incident Ascension has faced. In May 2024, the organization reported a far more severe ransomware attack by the BlackBasta group, which compromised data belonging to over 5.6 million patients.
These back-to-back incidents raise serious concerns about the security posture of healthcare vendors and the ripple effects of software supply chain vulnerabilities in the industry.
