Ascension Health

On May 8, 2024, an Ascension employee accidentally downloaded a malicious file. Within hours, Black Basta ransomware encrypted servers across 140 hospitals in 19 states. Staff were locked out of applications. Emergency services had to divert patients.

Data from 7 of Ascension's 25,000 servers: Medical record numbers, dates of service, lab test types, procedure codes, credit card numbers, bank account numbers, Medicaid/Medicare IDs, insurance policy numbers, Social Security numbers, driver's licenses, passport numbers, dates of birth, and addresses.

5.6 million patients and employees.

But the immediate hurt was physical: emergency patients diverted to other hospitals, lab tests delayed for a month, prescriptions unfilled, medical procedures postponed. One of the largest Catholic health systems in America operated on paper for weeks.

Ascension operates 140 hospitals across 19 states. They have IT teams, security operations centers, compliance programs. They were watching for threats. They trained employees on security awareness.

An employee clicked one file, and the entire system collapsed.

They initially reported 546,931 affected individuals to HHS as a placeholder. The real number: 5.6 million—10x higher.

They didn't know which of their 25,000 servers held sensitive data until forensics revealed PHI and PII on 7 of them. They couldn't tell regulators who was affected for months.

140 hospitals in 19 states operating on paper. A month of delayed care. Diverted ambulances.

A $1.8 billion operating loss for FY2024, partly attributed to the cybersecurity incident.

And the realization that their placeholder estimate of half a million affected individuals was off by 5 million people.