Massive Data Breach at Ascension Exposes 430,000+ Patient Records

Ascension, one of the largest private healthcare providers in the U.S., has confirmed a significant data breach affecting 437,329 patients, linked to a former business partner’s software vulnerability. This marks yet another serious blow to the healthcare sector’s cybersecurity posture, coming less than a year after Ascension's systems were crippled by ransomware.

  • The breach originated from a December 2024 vulnerability in third-party software used by a former business partner.
  • Ascension confirmed the incident impacted patient health records, billing codes, insurance info, and sensitive personal data including SSNs.
  • Affected information includes:
    - Patient names, dates of birth, race, gender
    - Addresses, phone numbers, email addresses
    - Medical record numbers, diagnosis details, admission/discharge dates
    - Insurance provider details, Social Security numbers
  • The breach was discovered in January 2025, but notifications began rolling out in April.
  • A total of 437,329 individuals are confirmed impacted in the latest HHS filing.

  • Ascension is offering two years of free identity and credit monitoring services to those affected.
  • The breach aligns with a pattern of Clop ransomware attacks that exploited zero-day vulnerabilities in Cleo secure file transfer software.
  • This comes after a May 2024 Black Basta ransomware attack that disrupted hospital operations and exposed 5.6 million records.

The Ascension breach underscores the escalating risks tied to third-party vendors and legacy systems within healthcare. At Net Protector Cyber Security, we continue to stress the importance of zero-trust architectures, regular third-party risk assessments, and proactive vulnerability patching to protect patient data. As cybercriminals expand their tactics, so must our defenses.

Secure every link in your chain — because attackers only need one.