Ascension Ransomware Attack: Impact and Prevention Tips

In May 2024, Ascension Health, one of the largest nonprofit healthcare systems in the U.S., was hit by a major ransomware attack which had a profound impact on its operations. The incident  resulted in a serious hospital data breach, shutting down electronic health record (EHR) systems across several states and forcing doctors and nurses to resort to pen and paper to keep medical records, causing delays in patient care.

In this article, we’ll break down what happened during the Ascension ransomware attack, how it affected Ascension’s services and data, its financial impact, and the lessons learned. We’ll also share practical tips and best practices to help healthcare organizations prevent ransomware in hospitals and better protect patient data security.

The ransomware attack timeline began on May 8, 2024, when Ascension’s IT team detected unusual activity on the network. Later that day, multiple core systems started failing, and Ascension declared a “cybersecurity event” as hospital staff were suddenly locked out of applications.

An investigation revealed that an employee had accidentally downloaded a malicious file, allowing hackers to infiltrate Ascension’s network. The attackers – suspected to be the Black Basta cybercriminal group – deployed ransomware that encrypted servers and data, knocking out systems used to order tests, procedures, and medications.

Ascension’s electronic health record platform (including its patient portal MyChart) became unavailable, preventing access to medical charts. In response, Ascension initiated downtime protocols: clinicians switched to manual charting and some hospitals went on diversion for emergency medical services (rerouting ambulances) as a precaution.

Over the next several weeks, cybersecurity experts worked around the clock to contain the breach and restore systems. Ascension’s public updates described an ongoing cybersecurity incident response, with certain non-emergency appointments postponed and backups being used to rebuild servers.

It took approximately six weeks for Ascension to fully restore its electronic health records system and normal operations. Law enforcement and federal agencies were engaged, and on July 26, 2024, Ascension officially reported the attack as a healthcare data breach to the Department of Health and Human Services’ Office for Civil Rights.

Notably, investigators later found the hackers accessed only 7 out of 25,000 servers and did not penetrate the primary EHR database. However, files on some ancillary servers were stolen – potentially containing patient health information – showing the attackers’ double extortion tactics of both locking and stealing data.

The impact of the Ascension hospital ransomware attack on day-to-day healthcare services was immediate and quite harsh. Multiple Ascension hospitals had to divert incoming emergency patients to other facilities, and many surgeries and routine appointments were delayed or rescheduled.

Care teams reverted to paper charts and phone calls, which dramatically slowed down workflows and increased the risk of dangerous errors. In the weeks following the attack, doctors and nurses described harrowing lapses in care – lab test results went missing, medication orders were delayed, and safety checks normally enforced by computer systems failed to alert staff. In fact, one ICU nurse nearly administered the wrong drug dosage because the electronic scanning system was offline and the handwritten paperwork was confusing.

Although staff worked tirelessly to maintain patient care, the lack of automation and decision support made the environment “borderline dangerous,” as nurses put it. Patients also felt the disruption: with many unable to access their medical records or schedule visits via the patient portal, leading to anxiety and frustration as their care was put on hold.

During the breach, the attackers were able to copy files from a small number of internal servers. Ascension later acknowledged that some of those files likely contained protected health information (PHI) and personal identifiers (names, addresses, insurance details, etc.) for certain patients.

As mentioned before, the hackers did not gain access to the main electronic health records system or its database of full medical histories. This meant the hospital data breach was limited in scope, but it still exposed information for potentially thousands of individuals.

Out of caution, Ascension offered free credit monitoring and identity theft protection to affected patients.

Beyond operational disruption, the ransomware attack healthcare carried hard financial repercussions for Ascension. The timing of the attack – in the final quarter of Ascension’s fiscal year – derailed the health system’s financial recovery plan.

Across FY2024, Ascension ultimately posted a $1.8 billion operating loss, a serious decline partly attributed to the cybersecurity in healthcare incident. Prior to the attack, Ascension had been narrowing its losses (only $332 million lost in the ten months through April 2024, versus a $1.9 billion loss in the prior year).

However, the ransomware attack in May and June erased much of those gains. According to Ascension’s reports, the attack caused widespread revenue cycle disruptions – claims submissions were delayed, and payment processing was interrupted, which strained cash flows.

To stabilize its finances, Ascension used multiple healthcare recovery strategies. The organization tapped into business continuity options like securing advance payments from insurers and federal payers to offset the short-term cash shortfall. Leadership also accelerated cost-control measures and revisited the IT budget to invest in better infrastructure.

To give you an example, in the wake of the attack, Ascension diversified its IT vendors – it added redundancy for its claims management systems, after a related third-party outage (the Change Healthcare ransomware attack in February 2024) had already exposed that vulnerability.

The Ascension ransomware attack taught us some lessons that can help other healthcare organizations prevent similar incidents from happening:

1. Employee training is needed. The breach at Ascension started with a phishing email, which shows how important it is to make sure all staff are trained to recognize suspicious messages.
2. Another big lesson is the need for an incident response plan. When the attack hit, Ascension’s staff wasn’t fully prepared for a prolonged outage. Having a clear, practiced plan in place for these types of disruptions is important.
3. When it comes to securing systems and data, Ascension learned the hard way that it’s not enough to focus just on the main electronic health records system. All systems that handle patient data need to be protected, whether it’s auxiliary servers or backup systems.
4. Early detection was another key takeaway. Ascension didn’t catch the breach until systems were already locked down, so it’s important to have tools in place that can detect suspicious activity as soon as possible.

No health system can afford to be complacent after Ascension’s experience. Here are some best practices healthcare institutions should implement to reduce the risk of a ransomware attack healthcare:

1. Humans are always the first line of defense. Conduct regular training on phishing and social engineering so staff can recognize suspicious emails or links. Emphasize that one click can let an attacker into the network. Implement email filters and warning banners for external emails and consider phishing simulation exercises to keep employees alert.
2. Ensure all software – including EHR platforms, medical device firmware, and standard IT systems – is kept up to date with the latest security patches. A lot of cybersecurity incidents in healthcare exploit known vulnerabilities in outdated systems. Maintain an inventory of all network-connected devices (from MRI machines to pharmacy systems) and regularly update or replace any that no longer receive security updates.
3. Design the hospital network(s) with internal barriers so that a breach in one system doesn’t give attackers free reign over everything. For example, segregate the network for medical equipment and electronic health records from the general corporate network.

Hospitals should also use cybersecurity frameworks and guidelines made specifically for healthcare. The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services (HHS) share alerts and tips to improve healthcare cybersecurity. Being part of information-sharing groups, like H-ISAC, can help hospitals get early warnings about threats.

A healthcare data breach can seriously damage patient trust, so keeping data secure is just as important as ensuring systems are always running. Here are some tips to help protect patient data in healthcare environments:

1. All sensitive patient data should be encrypted in storage (databases, server drives, backups) and during transmission. Encryption ensures that even if attackers steal files, they cannot read the contents without the encryption keys.
2. Implement strict access controls to secure electronic health records (EHR) systems. This includes multi-factor authentication (MFA) for clinicians accessing EHRs, strong password policies, automatic session timeouts, and role-based access that limits each user to the minimum necessary information.
3. Ensure that patient records and charts are included in regular backups, and that those backups are stored securely (encrypted and offline). In a ransomware situation, having protected backups of patient data means you can restore information without paying criminals.

In conclusion, the Ascension ransomware attack clearly demonstrated that in today’s healthcare, cybersecurity is directly connected to patient safety and care. A ransomware attack on a hospital can put lives in danger by shutting down systems and exposing private information.

To prevent this, healthcare organizations must prioritize cybersecurity in healthcare and see it as a important investment. This means preparing in advance by investing in security measures, training staff, and creating reliable systems, rather than only responding after an attack happens.

By learning from cases like the Ascension attack and applying those lessons, healthcare providers can protect themselves better and ensure that the future of healthcare stays safe for patients.

Visit BlackFog.com to learn about anti data exfiltration (ADX) solutions that protect against ransomware and keep healthcare data safe.