It took them months to update their report, but Ascension has now disclosed how many patients were affected by a ransomware attack they disclosed earlier this year. Bleeping Computer reports:
Ascension, one of the largest private U.S. healthcare systems, is notifying nearly 5.6 million patients and employees that their personal and health data was stolen in a May cyberattack linked to the Black Basta ransomware operation.
The health network reported a total revenue of $28.3 billion in 2023 and operates 140 hospitals and 40 senior care facilities across the United States.
The company now mails data breach notifications to 5,599,699 affected individuals via the United States Postal Service. Starting Thursday, December 19, Ascension also offers affected people 24 free months of IDX identity theft protection services, including CyberScan monitoring and a $1,000,000 insurance reimbursement policy.
Read more at Bleeping Computer.
Ascension isn’t the only healthcare entity to be late in sending notification letters. This week, we also learned that Richmond University Medical Center in New York is also first sending out notification letters stemming from a May 2023 cyberattack. The medical center’s report to the Maine Attorney General’s Office does not indicate whether this was a ransomware attack, and no ransomware group ever claimed responsibility for the attack. Unlike Ascension, however, Richmond has not yet disclosed the total number of patients affected and there is no report on HHS’s public breach tool about this incident as of publication.
Update: This post’s headline and content were corrected to reflect that the breach was in May of 2024, not May of 2023. The Data Breach Times regrets the error.