Ascension Health has confirmed that more than 437,000 patients were affected by a data breach linked to a third-party vendor. The incident did not impact Ascension’s internal systems. Instead, it stemmed from a vulnerability in software used by one of its business partners.
Hackers took advantage of the flaw and accessed sensitive data. The breach likely connects to a wider attack in December involving Cleo’s file transfer platform. The same campaign, run by the Cl0p ransomware group, also targeted companies like Hertz and Western Alliance Bank.
Patient data was exposed from several Ascension locations, including those in Alabama, Indiana, Michigan, Tennessee, and Texas. The stolen information includes names, addresses, emails, phone numbers, Social Security numbers, and health-related details like diagnoses and insurance information.
Ascension initially didn’t share how many patients were impacted. But a recent update to the Department of Health and Human Services (HHS) data breach portal revealed the full number—437,329 individuals.
In response, Ascension is offering two years of free credit monitoring and identity theft protection to everyone affected. This step aims to help reduce the risk of financial or identity harm.
While this breach is serious, it’s not Ascension’s largest. In May 2024, the healthcare system suffered a much bigger ransomware attack. That incident, involving the BlackBasta group, exposed the data of 5.6 million people.
This latest event shows how vulnerable healthcare systems can be—especially when they rely on outside vendors for data processing and file transfers. Even strong internal defenses can’t prevent breaches if a third-party provider fails to secure its tools.
