Ascension Health ransomware attack

On 8 May 2024, Ascension — one of the largest non-profit health systems in the United States, with roughly 140 hospitals across 19 states — detected a ransomware intrusion that forced its hospitals back onto pen and paper for weeks. Attributed to the Black Basta ransomware group, the attack diverted ambulances, delayed care, and ultimately exposed the protected health information of nearly 5.6 million patients.

What happened

Ascension's investigation determined that the intrusion began when an employee inadvertently downloaded a malicious file, believing it to be legitimate. From that foothold, the attackers moved through the network and reached 7 of approximately 25,000 servers. On 8 May 2024, IT staff noticed unusual activity, and within hours core systems began failing.

Security researchers and subsequent reporting attributed the attack to Black Basta, a Russian-speaking ransomware-as-a-service operation known for double-extortion tactics against healthcare and critical infrastructure.

Impact

Ascension's electronic health record (EHR) system, patient portals, phone systems, and the platforms used to order tests, procedures, and medications went offline. Clinical staff reverted to manual, paper-based processes for roughly six weeks.
Emergency departments at multiple sites went on diversion, redirecting ambulances to non-Ascension facilities, and nurses reported medication and lab-ordering delays that raised patient-safety concerns.
The data of 5,599,699 individuals was confirmed compromised. Exposed fields included names, addresses, dates of birth, Social Security numbers, medical record numbers, credit card and bank account information, Medicare/Medicaid IDs, driver's license numbers, and passport numbers.
The disruption hit Ascension's finances hard: same-facility patient volumes fell 8–12% in May and June, contributing to an operating loss of roughly $1.8 billion and a near $1.1 billion net loss for the fiscal year ending June 2024.

Response

Ascension took systems offline, activated downtime procedures, and brought in third-party incident responders. It restored EHR access progressively through June 2024 and offered affected patients two years of free credit monitoring and identity-theft protection. The company has not disclosed paying a ransom. Multiple class-action lawsuits followed the breach notification.

Why it matters

Ascension is a defining case for ransomware as a patient-safety hazard, not merely a data-privacy event. A single mistaken download cascaded into weeks of degraded care across a system serving millions, demonstrating how thin the operational margin is when clinical workflows depend entirely on connected IT. The incident reinforced regulatory and sector pressure — echoed after the contemporaneous Change Healthcare attack — to treat healthcare cybersecurity as critical infrastructure, with hardened identity controls, tested downtime procedures, and network segmentation between administrative and clinical systems.

Timeline

May 8, 2024

Ascension's IT team detects unusual activity on the network; within hours multiple core clinical systems begin failing.

May 8, 2024

Ascension takes systems offline, activates downtime procedures, and begins diverting ambulances from affected emergency departments.

May 9, 2024

Ascension publicly confirms a cyberattack disrupting clinical operations across its national footprint of roughly 140 hospitals in 19 states.

June 1, 2024

Electronic health record (EHR) access is progressively restored after staff worked from paper records for roughly six weeks; security firms attribute the attack to the Black Basta ransomware group.

June 1, 2024

Investigation determines attackers accessed 7 of about 25,000 servers after an employee mistakenly downloaded a malicious file.

December 19, 2024

Ascension concludes its file review, confirms the protected health information of 5,599,699 people was compromised, and begins mailing notification letters.

Sources

healthcaredive.comhttps://www.healthcaredive.com/news/ascension-cyberattack-hurts-2024-earnings/727470/

cybersecuritydive.comhttps://www.cybersecuritydive.com/news/ascension-cyberattack-data-breach/736183/

healthcareitnews.comhttps://www.healthcareitnews.com/news/ascension-confirms-data-breached-black-basta-ransomware-attack

about.ascension.orghttps://about.ascension.org/news/2024/05/ascension-releases-q3-fy24-financial-results

Related incidents

RansomwareRansom paidFebruary 21, 2024

Change Healthcare ransomware (ALPHV/BlackCat)

ALPHV/BlackCat compromised Change Healthcare via Citrix portal lacking MFA, paralyzed U.S. prescription claims for weeks, and exfiltrated data on an estimated 100 million people.

Victim: Change Healthcare (UnitedHealth Group)
Loss: $2.87B
Records: 100.0M

RansomwareContainedMay 12, 2017

WannaCry ransomware worm

A North Korean ransomware worm that exploited the EternalBlue SMB vulnerability to spread to ~200,000 systems across 150 countries in 24 hours. Paralysed the U.K.'s NHS and crippled manufacturing globally.

Victim: ~200,000 organizations worldwide (UK NHS, Telefónica, Renault, Deutsche Bahn, Honda et al.)
Loss: $6.00B

RansomwareContainedAugust 21, 2024

Halliburton RansomHub attack (2024)

RansomHub gained access to Halliburton's systems, prompting the oil-services giant to take infrastructure offline. The incident delayed invoicing and purchase orders, and Halliburton booked a $35 million loss in its SEC filings.

Victim: Halliburton
Loss: $35.0M

RansomwareRansom paidJune 18, 2024

CDK Global BlackSuit ransomware (2024)

BlackSuit operators encrypted CDK Global's dealer-management platform, knocking ~15,000 North American car dealerships offline for nearly two weeks. A second attack hit on day two of recovery. Industry losses estimated at over $1 billion; CDK reportedly paid a $25 million ransom.

Victim: CDK Global
Loss: $1.00B