Ransomware

Ascension Health Ransomware 2024

8 minute read
2024-05-08T00:00:00.000Z
Share Article
LinkedIn
X (Twitter)
Facebook
BREACH INTELLIGENCE
breach date

2024-05-08T00:00:00.000Z

Industry

Healthcare

Severity

Critical

Records Exposed

5.6M patients

Financial Impact

$2.66B+ losses

Breach Summary

The Ascension Health ransomware attack of May 2024 was the most disruptive healthcare cyberattack in US history, forcing Ascension — one of the nation's largest nonprofit hospital systems with 140 hospitals across 19 states — to divert ambulances, cancel surgeries, revert to paper records, and take clinical systems offline for weeks. The attack demonstrated in the most consequential terms the patient safety implications of healthcare ransomware.

What Happened

Ascension detected the attack May 8, 2024, and immediately took clinical systems offline. For six weeks, 140 hospitals operated on paper-based workflows. Ambulances were diverted. Elective procedures and non-urgent appointments were canceled. Ascension disclosed in December 2024 that 5.6 million patient and employee records had been stolen, including medical records, payment information, and Social Security numbers. The Black Basta ransomware group was attributed as the attacker.

Attack Vector Detail

The initial access vector was a Ascension IT worker who accidentally downloaded a malicious file. The Black Basta ransomware group used that initial access to conduct reconnaissance, move laterally, and ultimately deploy ransomware across Ascension's clinical systems. Electronic health records, the MyChart patient portal, medication ordering systems, and other clinical technology were all taken offline.

Clinical staff across 140 hospitals were forced to revert to paper-based workflows that many had never used before. Paper orders, manual medication reconciliation, and handwritten nursing notes replaced EHR workflows that staff depended on completely. The transition produced medication errors and patient harm as a documented outcome of the attack.

Breach Pattern Timeline

May 8, 2024

Ascension — one of the largest U.S. nonprofit Catholic health systems with 140 hospitals across 19 states — detects unusual activity on its IT network. Activates incident response.

May 9-10, 2024

Ascension takes systems offline including electronic health records (Epic), patient portal, MyChart, lab and imaging systems, and pharmacy ordering. Reverts to paper-based clinical operations across the entire health system.

May 9, 2024

Black Basta ransomware group (Russia-aligned, Conti successor) suspected as threat actor. Confirmed shortly after via Microsoft and CrowdStrike attribution.

May 9 - June 14, 2024

Ascension hospitals operate on paper for ~5 weeks. Patient diversions occur (ambulances rerouted to other hospitals). Medication errors and care delays reported. Two patient deaths later linked to delayed care during the outage.

May 15-30, 2024

Initial cause traced to a contractor employee accidentally downloading malicious file. The contractor employee's compromised credentials provided initial access.

June 14, 2024

Ascension begins phased restoration of EHR systems. Full restoration of all systems takes additional weeks.

December 2024

Ascension confirms data exfiltration scope: approximately 5.6 million patients' protected health information exposed including medical records, insurance, billing, and SSNs.

2024-2025

Class action consolidation begins. HHS OCR investigation continues. Two confirmed patient deaths linked to outage drive renewed scrutiny of healthcare ransomware as patient safety issue.

2024-2026

Ascension-Black Basta case follows Change Healthcare (Feb 2024) as second consecutive massive U.S. healthcare ransomware in same year. Foundational precedent for healthcare ransomware patient harm framework and contractor credential security.

Total impact: 5.6 million patients' PHI exposed across 140 hospitals, ~5-week paper-based operations, two confirmed patient deaths linked to outage, foundational precedent for healthcare ransomware patient harm assessment and contractor credential risk.

Executive Lessons

The Ascension breach demonstrated that even large, well-resourced healthcare systems are vulnerable to ransomware that disrupts clinical operations at a scale that creates patient safety risk. The attack forced clinicians to revert to paper-based workflows for weeks, delaying diagnoses and treatments. For PE sponsors with healthcare portfolio companies, clinical system ransomware is not just an IT problem — it is a patient safety and regulatory risk that requires board-level attention and dedicated recovery investment.

Related Reading

Private Equity Implications

For PE sponsors with healthcare portfolio companies, Ascension established that healthcare ransomware financial impact can reach billions. Any healthcare portfolio company must have endpoint security, network segmentation, and clinical business continuity planning as baseline security investments — not future-state aspirations.

How Cloudskope Can Help

Cloudskope's healthcare security practice addresses the specific clinical system risk profile that Ascension's attack illustrated, including endpoint protection for clinical workstations, network segmentation between clinical and administrative systems, and business continuity planning for EHR unavailability scenarios.

Frequently Asked Questions

What happened in the Ascension Health breach?

In May 2024, Ascension Health — one of the largest non-profit Catholic healthcare systems in the United States operating 140 hospitals across 19 states — was hit by a ransomware attack that disrupted clinical operations, electronic health record access, and prescription processing for weeks. Patients were diverted from emergency departments; clinical staff reverted to paper-based workflows.

How did the Ascension attack happen?

Ascension attributed the initial compromise to an employee who downloaded a malicious file. The attack was claimed by the Black Basta ransomware group. The operational disruption persisted for approximately five weeks before EHR systems were fully restored — making it one of the longest sustained healthcare operational outages from a ransomware attack.

How many people were affected?

Ascension disclosed in December 2024 that patient data for approximately 5.6 million individuals was exposed. The exposed data included contact information, demographic data, dates of birth, medical record numbers, and clinical information including diagnoses and treatment data. Some affected individuals also had Social Security numbers exposed.

Who is Black Basta?

Black Basta is a ransomware-as-a-service operation believed to have emerged from former Conti ransomware operators after Conti's 2022 disbandment. The group has been particularly active against healthcare organizations and has used double-extortion tactics combining encryption with data theft and threatened publication.

What did Ascension establish for healthcare cybersecurity?

Ascension demonstrated that ransomware against major health systems creates immediate patient safety consequences — ambulance diversions, surgery cancellations, prescription delays, and reverted clinical workflows all carry medical risk. For healthcare executives and boards, the implication is that ransomware preparedness must include clinical continuity planning, not just data recovery.