Cyberattack Disrupts Major U.S. Healthcare Network, Exposing Patient Data A ransomware attack has severely disrupted operations at Ascension, one of the largest nonprofit healthcare systems in the U.S., forcing hospitals and clinics across multiple states to divert emergency services and revert to manual record-keeping. The incident, detected on May 8, 2024, targeted Ascension’s network, which serves 140 hospitals and 40 senior care facilities in 19 states and Washington, D.C. The attack has caused widespread outages, including disruptions to electronic health records (EHR), phone systems, and scheduling tools. Emergency departments at several Ascension hospitals have been temporarily closed or redirected, while non-emergency procedures and appointments have been delayed or canceled. Staff have resorted to paper-based workflows, slowing patient care and increasing the risk of errors. Ascension confirmed the incident involved ransomware, though the specific strain and threat actor remain unidentified. The organization is working with cybersecurity firm Mandiant and law enforcement, including the FBI and CISA, to investigate the breach and restore systems. While no ransom demand has been disclosed, the attack follows a pattern of escalating cyber threats against healthcare providers, which are frequent targets due to their sensitive data and critical infrastructure. Patient data exposure remains a concern, though Ascension has not confirmed whether protected health information (PHI) was accessed or exfiltrated. The incident underscores the growing vulnerability of healthcare systems to cyberattacks, which have surged in recent years, often disrupting care and compromising patient safety. Similar attacks on Change Healthcare (February 2024) and CommonSpirit Health (2022) have demonstrated the cascading effects of such breaches, including financial losses and operational paralysis. As of May 13, 2024, Ascension continues to assess the full scope of the attack, with recovery efforts expected to take weeks. The incident highlights the urgent need for enhanced cybersecurity measures in the healthcare sector, where the stakes human lives and data privacy are uniquely high.

Ascension, one of the largest private healthcare systems in the United States, experienced a data breach that exposed the personal and healthcare information of over 430,000 patients. The incident, disclosed in April, involved a data theft attack impacting a former business partner in December. Attackers accessed personal health information related to inpatient visits, including physician names, admission and discharge dates, diagnosis and billing codes, medical record numbers, and insurance company names. Personal information such as names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers were also compromised. The breach was linked to a vulnerability in third-party software used by the former business partner, likely part of widespread Clop ransomware attacks.

Ascension experienced a ransomware attack involving social engineering which resulted in the data of 5,599,699 individuals being affected. An employee was tricked into downloading malware, resulting in a data breach. Although there was no evidence that data was extracted from their Electronic Health Records (EHR) and other clinical systems where complete patient records are securely kept, personal information was involved and notifications to the affected individuals have been initiated.

Ascension faced a ransomware attack resulting in severe disruptions across 140 hospitals, implicating patient care and treatment schedules. The recovery was hindered by the need for 'assurance' letters to reconnect systems with suppliers, adding to the operational chaos. The impact extended to canceled appointments and surgeries, and pushed medical staff to revert to manual processes. The organization's swift action towards transparency and reconnection of supplies post-attack mitigated prolonged delays.

On December 19, 2024, the Washington State Office of the Attorney General disclosed a ransomware attack targeting Ascension Health, initially detected on May 8, 2024. The breach compromised the personal data of 5,787 Washington residents, exposing highly sensitive information, including Social Security numbers (SSNs) and medical records. The attack posed severe risks to affected individuals, as exposed SSNs and medical data can facilitate identity theft, financial fraud, and targeted phishing scams. Given the nature of the stolen data—health records in particular—the breach also raised concerns about long-term privacy violations, potential blackmail, and misuse of medical histories. Ascension Health, a major healthcare provider, faced reputational damage, regulatory scrutiny, and potential legal liabilities due to the failure to prevent the attack. The incident underscored vulnerabilities in healthcare cybersecurity, where ransomware groups increasingly target critical patient data for extortion. The exposure of such information not only harms individuals but also erodes trust in the organization’s ability to safeguard confidential records. Recovery efforts likely involved forensic investigations, notification processes, credit monitoring for victims, and system reinforcements to mitigate future threats.

In February 2024, Ascension, a major healthcare provider, suffered a devastating ransomware attack initiated when a contractor clicked a phishing link via Microsoft Bing and Edge. The attack exploited Kerberoasting, leveraging Microsoft’s outdated RC4 encryption (a 1980s protocol long deemed insecure) to gain administrative privileges through Active Directory. Hackers then deployed ransomware across thousands of systems, compromising personal data, medical records, payment/insurance details, and government IDs of over 5.6 million patients. The breach disrupted hospital operations, delayed critical treatments, and exposed systemic vulnerabilities tied to Microsoft’s default security configurations—including weak password policies for privileged accounts. Despite repeated warnings from CISA, FBI, and NSA about RC4 and Kerberoasting risks (notably by state actors like Iran), Microsoft had yet to disable RC4 by default, prolonging exposure. Ascension’s incident underscores the cascading impact of legacy encryption flaws, poor default security settings, and third-party contractor risks in healthcare cybersecurity.

Healthcare Cyberattacks: The $1.3 Billion Cost of Ransomware and Why CFOs Must Lead the Response In 2024, Ascension Health faced a ransomware attack that inflicted an estimated $1.3 billion in financial damage—a staggering blow that smaller and mid-sized healthcare providers may not survive. Beyond immediate costs like breached records and operational downtime, such incidents disrupt patient care, delay reimbursements, and erode long-term trust. For healthcare organizations, cybersecurity is no longer just an IT concern; it’s a financial and patient safety crisis. ### The Escalating Threat Landscape Healthcare remains the most targeted and costly sector for cyberattacks, with breaches averaging $10 million per incident in the U.S.—a 50% increase since 2020. Key risks include: - Ransomware: Demands averaged $5.2 million in 2024, with healthcare among the hardest-hit industries. - Phishing & Social Engineering: These attacks cost healthcare organizations $9.77 million per breach. - Prolonged Breach Containment: Healthcare breaches take 279 days to resolve—five weeks longer than other sectors—amplifying financial and operational fallout. - Regulatory Penalties: The HHS Office for Civil Rights (OCR) is investigating 554 hacking-related breaches, with fines in 2025 ranging from $75,000 to $3 million per case. ### Why CFOs Must Partner with CISOs As cyber threats grow, chief financial officers (CFOs) and chief information security officers (CISOs) must collaborate to align security investments with financial resilience. Key challenges include: - Downtime Costs: A 24-hour system outage can cripple billing, claims processing, and liquidity. - Insurance & Liquidity: CFOs must secure emergency funds, manage insurer payouts, and coordinate vendor payments during crises. - Vendor Risks: Third-party breaches are under OCR scrutiny, requiring stricter oversight (e.g., SOC 2/ISO 27001 compliance). - Cyber Insurance: Premiums remain high, but tailored coverage can mitigate healthcare-specific risks like billing disruptions. ### A Financial Action Plan for Cyber Resilience To mitigate risks, healthcare CFOs are adopting proactive measures: - Tabletop Exercises: Simulating attacks to practice crisis response, including liquidity sourcing and insurer coordination. - Dedicated Cyber Reserves: Allocating 1–2% of operating expenses for breach response, penalties, and uninsured costs. - Vendor Accountability: Enforcing breach-notification clauses and cyber insurance requirements for third parties. - Strategic Insurance Use: Leveraging policies that cover healthcare-specific disruptions, such as delayed reimbursements. ### The Human Cost of Cyberattacks Beyond financial losses, cyber incidents directly endanger patients—delaying diagnostics, canceling procedures, and compromising care. For organizations without Ascension’s resources, a single attack can force closures or severe cost-cutting. As regulators and insurers demand quarterly cyber attestations, the CFO-CISO partnership is critical to ensuring compliance, financial stability, and patient safety. The message is clear: In healthcare, cybersecurity is not just a technical issue—it’s a survival strategy.

Ascension Michigan notifies some of its patients of a data breach that happened between Oct. 15, 2015, and Sept. 8, 2021. It noticed suspicious activity in its electronic health record and upon investigation found that an unauthorized individual accessed its patient information. The compromised information included full name, date of birth, address(es), email address(es), phone number(s), health insurance information, health insurance identification number and medical records, Social Security numbers. The Ascension Michigan offered free credit and identity theft protection-monitoring services to the affected patients.