Ascension, a healthcare company with 105 hospitals across the United States, recently notified patients of a potential breach of their data. Although the organization did not disclose details on the amount of patients impacted, the U.S. Department of Health and Human Services Office for Civil Rights Breach Portal listed the breach as affecting 437,329 individuals. 

Ms. Ngoc Bui, Cybersecurity Expert at Menlo Security, comments, “Unfortunately targeting healthcare is not uncharacteristic — the industry has long been a prime target for threat actors due to the sector’s critical operations and high susceptibility to disruption. Organizations in the healthcare industry, and beyond, should leverage the power of a robust threat intelligence program to stay proactive and informed. By continuously monitoring emerging threats, and adapting to evolving tactics, techniques, and procedures (TTPs), organizations can mitigate risks more effectively.”

Hackers targeted a third-party software vulnerability in order to steal the data. The organization states that it was notified of the incident on December 5, 2024, and that the third-party was a former business partner to which Ascension inadvertently disclosed the stolen information. Some believe that due to the nature and timing of the attack, the incident may have been linked to the incident against Cleo’s file transfer platform, in which ransomware group Cl0p extracted data from several organizations, such as Hertz and Western Alliance Bank. 

Stephen Kowski, Field CTO at Pleasanton, adds, “The healthcare sector remains an attractive target due to its critical nature and often complex digital infrastructure. We see these across most industries, not just targeting healthcare organizations. Modern security solutions that detect and block sophisticated phishing and social engineering attempts in real time are essential for protecting sensitive healthcare operations.”

According to the notice, information at risk may include: 

• Names
• Phone numbers 
• Email addresses 
• Physical addresses 
• Birth dates 
• Demographic data (such as race and/or gender) 
• Social Security Numbers

Clinical information may also be at risk, such as service locations, physician names, medical record numbers, insurance company names, admission and discharge dates, and diagnosis and billing codes. 

Mr. Agnidipta Sarkar, Vice President CISO Advisory at ColorTokens, states, “The first thing that security teams need to recognize is that it is absolutely critical to know all your digital systems and how they talk to each other. The next thing to identify is how much of those communications are proactively secured through zero trust mechanisms like enhanced identity governance, microsegmentation, or software-defined perimeters. Especially when it comes to third-party access to patient records and other hospital information. This is critical now, considering the increasing adoption of artificial intelligence in decision-making and the use of AI agents.”

“What Ascension Health experienced should be a warning to all hospitals and should help the leadership to identify investments to protect from supply chain attacks. And not only hospitals. If you remember the Sunburst supply chain attack in 2020, the impact was not only data leaks, it was far bigger including reputational damage, lost revenue, and more.”