The nonprofit health system detected a breach on May 8th and is beginning to restore operations.
The Big Picture
The St. Louis-based healthcare system operates in 19 states and Washington, DC, with over 140 hospitals and dozens of senior living facilities.
The Catholic health system has a primary focus on assisting those in poverty or otherwise vulnerable, providing more than $2.3 billion in care to those in need since 2010.
On May 8th, Ascension said they had detected unusual activity on their network systems. While they have yet to release specific numbers, the attack has caused downed systems and even forced emergency care to be diverted in multiple states. Now, Ascension claims to be in the process of restoring their systems.
How it Started
On May 8th, Ascension released a statement saying “We detected unusual activity on select technology network systems, which we now believe is due to a cyber security event. At this time, we continue to investigate the situation.”
The health organization shared they first began noticing computer issues in the early morning, and soon after discovered these issues were happening on the Ascension network across the country.
Ascension also shared they would be working with Mandiant, a Virginia-based security company to “assist in the investigation and remediation process.” As of May 15th, they have brought in additional cybersecurity experts from Palo Alto Networks Unit 42 and CYPFER.
The attack caused Ascension’s health records system and MyChart to go down. Certain systems, including the phone and others used to order tests and medications, were nonfunctional.
Some non-emergency procedures have been delayed and patients were advised to bring appointment notes on their symptoms, current medications, and prescription information for medical staff.
In a statement from Luis Alvarez, president and CEO of Salinas, a California-based technology group, said the attack “looks like a mirror image of Change Health,” an event that put the healthcare industry in a total whirlwind and resulted in UnitedHealth paying a $22 million ransom.
See more: Change Attack Update: New Ransom Gang and Mounting Lawsuits
Breach Details
The breach has been claimed by Black Basta, a Russia-linked ransomware organization. The Office of Health and Human Services (HHS) released a threat profile on the organization in 2023.
The organization was initially spotted in early 2022 and is known to use a double extortion tactic, meaning it utilizes ransomware to prevent critical operations while simultaneously stealing sensitive data. Organizations using this tactic generally threaten to publish data on the Dark Web if the ransom goes unpaid.
Black Basta is known to specifically target organizations in the health sector. The organization is known to not immediately demand a ransom but instead tells victimized organizations to contact Black Basta to discuss payment.
It’s unclear how the attack began, but Ascension has stated they detected unusual activity within the network, which likely means a vulnerability was exploited or hackers were otherwise successfully able to infiltrate the system.
What’s New
As of May 15th, Ascension says they continue to “make progress towards restoration and recovery.” They added the health system is “focused on getting systems back up and running as safely and as quickly as possible. We are also working on reconnecting with our vendors with the help of our recovery experts.”
Despite the positive news, Ascension says they have not yet returned to normal operations. They do not have a timeline for completion. Furthermore, they have not confirmed what, if any, personal data was stolen or could be published. The health system said they would send out notices to impacted individuals if needed.
At the time of this writing, it is believed that Ascension has not paid any ransom.
Lawsuits on the Horizon
Only a week after the attack, Ascension is already facing two potential class-action lawsuits. While little information is known–including if any private information was compromised–individuals can still file a case against Ascension for alleged negligence.
The complaints were filed in Illinois and Texas. The Illinois lawsuit claims the breach itself shows Ascension was negligent in properly encrypting data. They allege strong, secure encryption could have potentially prevented Black Basta from exfiltrating data.
The Texas plaintiff argues that data may have been accessed and that harms continue with some Ascension patients being unable to communicate with their provider or receive treatment.
Breaches in the healthcare sector are becoming increasingly litigious, and many settle out of court. While it’s possible the cases may not move forward, they could prove to be an additional challenge as Ascension aims to financially and operationally recover from the event.
In an interview, David Kessler, the head of privacy, information governance, and eDiscovery at Norton Rose Fullbright said he does not believe Ascension is automatically negligent for being unable to prevent the breach. “The understanding is that there is no such thing as perfect data security–these events are going to happen, that’s the reality of our information age,” he said. Instead, Kessler believes the true question is if Ascension took enough reasonable steps to prevent the incident.
How Cloudticity Can Help
Data shows data breaches have spiked in 2023, and 2024 is unlikely to be different. Not only are hospitals and healthcare organizations heavily targeted, but so are the many third parties these organizations work with.
Attacks themselves can be devastating–leading to significant amounts of downtime that can directly impact patients. The massive Change data breach, and now, Ascension’s breach shows the wide impact just one vulnerable network can cause.
Breaches are also increasingly costly–between 2020 and 2023, it’s estimated that the cost of a data breach has risen 53% to an average of $11 million per breach.
With increasing costs, mounting lawsuits, and the likelihood of downed operations, it’s more important than ever for healthcare organizations to prioritize security.
These harmful attacks can be prevented, but it takes the right security system and strategy. Cloudticity has managed HIPAA workloads in the cloud for over 12 years, and we’ve never had a breach due to our defense-in-depth security practices.
If you want to learn more about how we can help protect your organization from ransomware, reach out for a free consultation today.
