The May 8 ransomware attack on St. Louis-based Ascension has affected 5.6 million individuals.
According to a breach notification filed with the Maine Attorney General, the ransomware attack exposed the personal information of 5,599,699 patients, senior living residents and employees.
The compromised data includes medical details such as record numbers and procedure codes, payment information like credit card or bank account numbers, insurance details, government identification (e.g., Social Security and driver's license numbers) and personal information such as addresses and dates of birth. However, Ascension stated in a Dec. 19 update on its website that no evidence suggests the attack accessed data from its EHR or other clinical systems.
This conclusion of the investigation into the incident comes shortly after the health system reported that the cyberattack affected its operations and financial performance. In its fourth-quarter fiscal year 2024 results, reported Sept. 17, Ascension disclosed a $1.8 billion operating margin loss, which included the financial effects of the ransomware incident. The health system faced revenue losses and incurred additional costs related to remediation efforts and other business expenses.
To support those affected, Ascension is offering complimentary credit monitoring and identity protection services.