Pierluigi Paganini May 10, 2025

A data breach at Ascension, caused by a former partner’s compromise, exposed the health information of over 430,000 patients.

Ascension is one of the largest private healthcare systems in the United States, ranking second in the United States by the number of hospitals as of 2019.

At the end of April, the company notified patients that their personal and health information had been compromised in a December 2024 data breach suffered by a former business partner.

The data breach exposed personal and clinical data, including names, contact info, SSNs, and medical visit details. The company states that specific information varies by individual.

“On December 5, 2024, we learned that Ascension patient information may have been involved in a potential security incident. We immediately initiated an investigation to determine whether and how a security incident occurred.” reads the data breach notification sent to impacted individuals. “Our investigation determined on January 21, 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.”

The company did not provide technical details about the security breach, however, the breach likely stems from Clop ransomware attacks exploiting a Cleo file transfer software flaw.

Ascension is offering two years of free identity monitoring, including credit monitoring, fraud support, and identity theft restoration through Kroll.

In a filing on April 29, the healthcare organization reported that the incident impacted 114,692 people in Texas and another 96 residents in Massachusetts.

Ascension disclosed in an April 28 filing with the U.S. Department of Health & Human Services (HHS) that the data breach affected 437,329 individuals.

However, Ascension confirmed in a filing with the U.S. Department of Health & Human Services (HHS) on April 28 that the data breach affected 437,329 individuals.

Unfortunately, this isn’t the first incident suffered by Ascension, in May 2024, the organization was hit by a Black Basta ransomware attack that severely impacted operations at hospitals in the country.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Ascension)