Ascension, a US-based healthcare provider, has reported a significant data breach impacting the personal and healthcare information of more than 430,000 patients. According to reporting by BleepingComputer, the breach, which came to light last month, involved a data theft incident from a former business partner that occurred in December 2024.
According to notification letters sent in April 2025, the breach allowed attackers to access sensitive information, including details of inpatient visits such as physician names, admission and discharge dates, diagnosis and billing codes, medical record numbers, and insurance company names. Personal details like names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers were also compromised.
“On 5 December 2024, we learned that Ascension patient information may have been involved in a potential security incident,” said the healthcare provider. “We immediately initiated an investigation to determine whether and how a security incident occurred. Our investigation determined on 21 January 2025, that Ascension inadvertently disclosed information to a former business partner, and some of this information was likely stolen from them due to a vulnerability in third-party software used by the former business partner.”
Ascension offers free identity monitoring services to affected individuals
The breach has affected a large number of patients, with Texas reporting 114,692 individuals impacted, as indicated in a 29 April filing. Additionally, 96 residents in Massachusetts had their medical records and Social Security numbers exposed. In response, Ascension is providing two years of complimentary identity monitoring services, which include credit monitoring, fraud consultation, and identity theft restoration, to those affected.
Although Ascension has not provided additional details about the breach involving its former business partner, the timeline suggests a potential connection to Clop ransomware attacks that exploited a zero-day flaw in Cleo secure file transfer software.
Last month, another US healthcare system Yale New Haven Health (YNHHS) disclosed a cyberattack that resulted in the theft of personal information from 5.5 million patients. As reported by BleepingComputer, the breach, initially revealed on 11 March 2025, took place three days earlier, causing disruptions to IT systems but not affecting patient care. YNHHS, a nonprofit healthcare organisation based in New Haven, Connecticut, manages five hospitals and 360 outpatient facilities, employs 30,000 people, and generates annual revenues exceeding $5.6bn.
YNHHS has engaged Mandiant to aid in system recovery and conduct a forensic analysis, and it has informed federal authorities about the incident. On 11 April 2025, the organisation confirmed that the breach might have exposed sensitive patient data to unauthorised parties.
Read more: Ransomware attacks decline in April 2025, healthcare sector sees uptick
