Ransomware Attack Disrupts Ascension Health System

Ascension detected unusual activity in its network systems on May 8. On May 11, the largest nonprofit health system in the United States announced the activity was caused by a ransomware attack.

“Ascension, with the support of leading cybersecurity experts, worked around the clock over the weekend to respond to the ransomware incident affecting our systems,” an Ascension spokesperson said on Monday following the disclosure. “We are focused on restoring systems safely. We are making progress, however, it will take time to return to normal operations.”

CNN has reported that the health system was attacked by a type of ransomware called Black Basta, which hackers have repeatedly used to attack healthcare organizations in recent years.

Ascension Hospitals and Clinics Resort to Manual Processes

As the restoration and investigation processes continue, Ascension reports that hospitals and clinics remain open. However, emergency services are being diverted at some locations, and the organization’s EHR systems are unavailable, causing a move to paper records. With 134,000 employees, 35,000 affiliated providers, and 140 hospitals across 19 states and Washington, D.C., transitioning to manual processes is no small feat.

Ascension has not yet identified if Personal Health Information (PHI) has been breached but said, “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.” In the meantime, patients are advised to keep their appointments, though some non-emergent elective procedures are paused.

Cyberattacks Continue to Target Healthcare Organizations

Both the current Ascension and February Change Healthcare cyberattacks highlight the growing problem of cyber threats against healthcare organizations. In this article on our blog, Lessons from the Change Healthcare Cyberattack Incident, you can read about the earlier incident and learn strategies to protect healthcare data.

The Ascension cyberattack also highlights the importance of an effective Disaster and Recovery Plan. The HIPAA Security Rule requires covered entities and their business associates to maintain a comprehensive contingency, emergency mode, data backup, and disaster recovery plan that prepares them for an event such as a natural disaster or a cyberattack. As happened with Ascension, cyberattacks are increasingly taking the form of ransomware, which disables access to critical data and systems.