Ascension confirms data breached in Black Basta ransomware attack

A cyberattack investigation has found that files were stolen during the May incident, some of which "may contain" protected health information and personally identifiable information, the health system says.
By Andrea Fox
09:35 AM

Photo: Morsa Images/Getty Images

As Ascension continues to work toward network-wide restoration of its electronic health record, the 19-state health system this week confirmed that the May 8 ransomware attack that debilitated its IT systems also may have exposed protected health information and personally identifiable information for some patients.

WHY IT MATTERS
The provider organization, one of the largest health systems in the country, said Wednesday that PHI and PII "for certain individuals" was contained in folders on seven of its 25,000 servers. While the compromised servers were part of daily routine operations, there is no evidence that data was taken from electronic health records and other clinical systems that contain full patient records.

While the investigation continues, "it is a significant undertaking that will take time," the provider organization said in its cybersecurity event update.

"We understand individuals may have questions about their data, including whether it was affected, but at this point, we are not able to answer those questions on an individual basis," Ascension said.

Last week, the national healthcare provider reported that the EHR is back up and operating at its healthcare facilities in Florida, Alabama and Austin, Texas, and said access across the 140-hospital system should be restored by June 14.

In the initial days after the cyberattack shut down its network, staff at the health system struggled to serve patients without orders and communications technologies. Having lost access to the EHR, certain lab systems and surgical and medication systems, staff reported struggles with downtime procedures in the chaos.

The health organization also noted in its latest update that the criminals initially gained entry into the network when an employee clicked to download a malicious file, believing it was legitimate.

"We have no reason to believe this was anything but an honest mistake," Ascension said in the statement.

The health system closed the update by encouraging potentially affected patients and staff to take advantage of complimentary credit monitoring and identity theft protection services, which are available by calling 888-498-8066.

THE LARGER TREND
Phishing is a top vector of attack that has only been enhanced by access to public artificial intelligence tools, and social engineering attacks are the source of many successful data breaches.

The Health Information Sharing and Analysis Center issued a threat alert on May 10 that the Russia-backed ransomware group Black Basta was accelerating attacks against the healthcare sector. H-ISAC said in the alert that the group uses spear phishing and buys compromised credentials through Initial Access brokers.

Heeding the tactics, techniques, procedures and similar warnings, and staying on top of patch management, can help IT teams shut down more attack vectors and shore up vulnerabilities. However, many industry observers have said the executive branch and Congress must act to bolster the healthcare sector's defenses.

A new report released by the Foundation for Defense of Democracies last week outlined 13 cybersecurity recommendations for governments and hospitals that address funding, cybersecurity workforce development – particularly in rural areas – and provide "roadmaps to secure key lifesaving services."

"The federal government should utilize extensive public-private collaboration through [U.S. Health and Human Services] to strengthen healthcare providers’ cyber resiliency," the FDD researchers said.

ON THE RECORD
"Right now, we don’t know precisely what data was potentially affected and for which patients," an Ascension spokesperson said in a statement. "In order to reach those conclusions, we need to conduct a full review of the files that may have been impacted and carefully analyze them."

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.