Employee Downloads Malicious File, Leading to Ascension Hack

In May 2024, Ascension, one of the largest healthcare systems in the United States, fell victim to a ransomware attack. This cyber-attack was traced back to an employee who inadvertently downloaded a malicious file, believing it to be a legitimate one. This seemingly honest mistake had significant repercussions, leading to a widespread disruption of Ascension’s operations.

The ransomware attack had an immediate and profound impact on several critical systems within the healthcare network. Among the affected systems was the MyChart electronic health records system, which plays a crucial role in managing patient information and records. Additionally, the attack compromised the healthcare provider's phone systems and various other systems used to order medical tests, procedures, and medications.

In response to the cyber-attack, Ascension took swift action to contain the situation. On May 8, 2024, the organization decided to take some devices offline to mitigate the spread of the ransomware. This decision, while necessary, forced employees to revert to using paper records to keep track of procedures and medications, as electronic access to patient records was no longer possible.

The attack also had a ripple effect on the scheduling and execution of medical services. Ascension had to pause certain non-emergent elective procedures, tests, and appointments. To prevent delays in emergency medical services, which could have serious consequences, Ascension diverted emergency cases to other healthcare units.

Despite the immediate containment measures, Ascension reported that some of its services remained impacted even weeks after the initial attack. The healthcare system has been diligently working to restore full functionality to its electronic health records systems, patient portals, phone systems, and the systems used for ordering tests, procedures, and medications.

An ongoing investigation into the attack has revealed that the threat actors managed to access and exfiltrate files from seven out of approximately 25,000 servers on Ascension's network. These compromised servers were primarily used by employees for daily and routine tasks. While there is evidence that some of the stolen files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) of certain individuals, the specific data affected varies from person to person. Fortunately, Ascension has not yet found proof that the attackers accessed data from its core Electronic Health Records (EHR) and other clinical systems, which store comprehensive patient records.

Although Ascension has not officially identified the group responsible for the ransomware attack, reports from CNN suggest that the Black Basta ransomware gang is behind the incident. This group is known for its sophisticated ransomware operations, targeting large organizations and demanding significant ransoms for the return of stolen data and the decryption of affected systems.

The Ascension ransomware attack highlights the critical importance of cybersecurity in healthcare. Even seemingly minor mistakes, such as downloading a malicious file, can have far-reaching consequences. The incident underscores the need for robust cybersecurity measures, including employee training, to prevent similar occurrences in the future.

In the aftermath of the attack, Ascension continues to prioritize the restoration of its systems and the protection of patient data. The healthcare provider is committed to learning from this incident and strengthening its defenses against future cyber threats. This experience serves as a stark reminder of the vulnerabilities in the healthcare sector and the ongoing battle against cybercriminals targeting essential services.