Ascension, one of the largest private healthcare companies in the United States, has confirmed that personal data from approximately 437,329 patients have been exposed after cybercriminal attacks.
There is no doubt that the trouble of increasing customer base, thousands of details fell into the hands of hackers, opening up opportunities for fraud and identity theft.
Violations include:
- name
- address
- telephone number
- email address
- Date of birth
- Race
- gender
- Social Insurance Number
- The doctor’s name
- Admission date
- Diagnostic and billing codes
- Medical access details
The healthcare giant explained in a notice letter to affected individuals that it learned in December 2024 that sensitive information related to patients might be held on hacker phones, and by January 21, 2025, it had confirmed that it was dealing with a serious incident.
According to Ascension, it has been “inadvertently disclosed” to a former and unnamed business partner, which information has been “possible stolen” due to the vulnerability of third-party software used by the same business partner.
Industry observers link up Ascension Patient Data Breach with CLOP ransomware Group, which exploited zero-day vulnerabilities in the software in late 2024 in enterprise software developer Cleo.
Security vulnerabilities in Cleo software allow attackers to execute code remotely, stealing files from organizations using vulnerable software.
Other organizations said to have been affected by data breaches related to CLEO include Western Union Bank and Hertz.
Over the past few months, Clop has listed hundreds of companies on its leaked website, with many of the violations related to Cleo.
Ascension said it provides two years of free credit monitoring and identity recovery assistance for people who may be affected by a data breach. But this is for those who may awaken reality, whose sensitive medical data is now circulating publicly.
Meanwhile, Ascension learns that your system is only as secure as the least protected partners.
All healthcare businesses that process sensitive information wisely review the data privacy and security of their own systems, and also review the security of their supply chains.
Editor’s note: The opinions expressed in this guest author’s article are only the opinions of the contributor and do not necessarily reflect Ford’s opinions.
