Ascension Health has reported a data breach affecting 437,329 patients, following the exploitation of a third-party software vulnerability tied to a now-former business partner. The breach did not stem from Ascension’s internal systems but was instead the result of patient information being inadvertently exposed to a vulnerable vendor platform.

The disclosure was made public through an official filing with the U.S. Department of Health and Human Services (HHS) and later confirmed through company statements.

The cyberattack is strongly suspected to be connected to the Clop ransomware gang’s mass exploitation of the Cleo file transfer platform in December 2024. Clop’s broader campaign also affected organizations like Hertz and Western Alliance Bank, leveraging zero-day vulnerabilities in third-party data transfer tools to exfiltrate massive datasets.

This latest breach is particularly damaging for Ascension, coming on the heels of a separate 2024 incident involving a Black Basta ransomware attack that compromised 5.6 million individuals.

Why It Matters: The incident underlines a systemic vulnerability in the healthcare sector: data security risks stemming from third-party service providers. Even when a healthcare organization maintains robust cybersecurity practices internally, its data remains vulnerable if external partners use flawed or outdated systems. The Clop gang’s continued success in exploiting such weaknesses signals a persistent and evolving threat to the digital infrastructure underpinning critical services like healthcare. With personally identifiable and medical information exposed, the long-term consequences for victims include identity theft, fraud, and privacy erosion.

• In filings with HHS and supplemental notifications to the public, Ascension revealed that 437,329 patients were affected. The states most impacted include Texas (114,692 individuals) and Massachusetts, although the breach affected Ascension operations across Alabama, Michigan, Indiana, Tennessee, and Texas. The sheer number of exposed records puts this breach among the more severe healthcare-related cybersecurity incidents of the past year.

• Ascension disclosed that a former business partner was at the center of the breach. Information shared with this partner was stolen after attackers exploited a security flaw in Cleo’s file transfer software. The Clop ransomware group, which has been linked to similar attacks using this method, is believed to be behind the intrusion. Although Ascension didn’t name the software explicitly in its official filing, the timeline and nature of the incident strongly align with Clop’s December 2024 attack vector.

• According to Ascension’s public notification, they first became aware of a potential incident on December 5, 2024. A deeper investigation led to the determination by January 21, 2025, that the information had been compromised through the partner’s systems. Public disclosures and filings did not occur until late April 2025, reflecting a nearly five-month timeline from suspicion to confirmation and notification, a common delay in incidents involving complex third-party investigations.

• The scope of the data breach includes highly sensitive information: full names, physical and email addresses, phone numbers, Social Security numbers, health insurance details, diagnoses, and clinical visit records. Not every individual had all data fields exposed, but each person’s combination of leaked data increases the risk of identity theft, phishing attacks, and targeted fraud.

• In response, Ascension is providing two years (24 months) of free identity protection services to affected individuals. These services, managed through Kroll, include credit monitoring, fraud support, and identity theft restoration. This mirrors actions taken during their previous Black Basta-related breach but emphasizes the organization’s acknowledgment of ongoing reputational and legal risks tied to recurring cybersecurity failures.

Go Deeper -> 437,000 Impacted by Ascension Health Data Breach – Security Week

Ascension reveals personal data of 437,329 patients exposed in cyberattack – Security Affairs