It’s more bad news from Ascension Health which is informing some of its patients, potentially for the second time in the space of a year, that their medical data was compromised during a major cyberattack.
The private medical services provider said one of its former business partners, with which the company shared some patient medical data, was ransacked by criminals that exploited a vulnerability in some third-party software.
This all happened back on December 5, according to the letter being sent to affected individuals. The biz added the internal investigation into the matter was concluded on January 21.
Ascension said the medical data involved was “inadvertently disclosed” to a former business partner who was targeted in an attack on the unspecified software.
The types of data believed to be stolen during the attack include: Names, addresses, phone numbers, email addresses, dates of birth, races, genders, and Social Security numbers (SSN).
Clinical data was also collected in some cases, including: Information related to inpatient visits, such as the place of service; physician name, admission and discharge dates; diagnosis and billing codes; medical record number; and insurance company name.
The org said the amount of data and the different data points involved will be different for each affected individual.
Also typical of these cases, victims have been offered two years’ worth of credit monitoring via Kroll. Ascension said it’s improving systems, and offered an apology.
“We have since reviewed our processes and are working to implement enhanced measures to prevent similar incidents from occurring in the future,” the letter [PDF] read.
“We regret any inconvenience this incident may cause and are providing you with information about steps you can take to help protect your information,” it went on to say.
Mystery attack
Ascension stayed coy about the details of the attack, but given the timelines involved, and how widespread the attack was at the time, a reasonable guess as to the source of the breach would be Cl0p’s raid on Cleo customers. Nothing is confirmed, however.
Reports of exploits on fully patched Cleo systems started circling on December 10, 2024, with the vendor confirming days later that an October security update was being circumvented.
Extortion crew Cl0p quickly took credit for the attack, which bore many resemblances to that on MOVEit MFT, a similar product Cl0p had previously breached and consequently stole data from thousands of organizations that used it.
If Cleo was the source of the intrusion, Ascension would not be alone in disclosing the attack so late. Car hire giant Hertz, for example, confirmed in mid-April that its data was also compromised as part of the Cleo attack campaign, with Hertz, Dollar, and Thrifty brands all affected.
Fool me twice
However it happened, the Ascension data grab marks the second major security snafu for the healthcare provider in the space of a year.
In May 2024, ransomware crew Black Basta claimed an attack on the systems of Ascension itself, prompting cybersecurity agencies to swiftly issue warnings within hours of Reg sources informing us of the crew’s involvement.
It came at a time where healthcare IT and cybersecurity was firmly in the spotlight in no small part due to the crippling attack at Change Healthcare months earlier – an incident which cost that company $2 billion. ®