In May 2024, Ascension, a prominent U.S. healthcare system, experienced a severe ransomware attack that disrupted IT operations across its 140 hospitals. Last week, Ascension announced that they had determined how the hackers initially gained access to their systems: an employee inadvertently downloaded a malicious file, mistaking it for a legitimate one. This common error led to significant operational challenges. The attack affected Ascension’s electronic health records (EHR) system and other critical infrastructure, forcing the healthcare giant to revert to manual processes while addressing the cyber threat.

Ascension mentioned in their statement, “We have no reason to believe this was anything but an honest mistake.” However, the attack has heightened concerns among health system CIOs and CISOs about the persistent vulnerability posed by human error and underscored the critical need for employee cybersecurity education and training.

The healthcare giant has opted to provide complimentary credit monitoring and identity theft protection to any patient or associate who requests it, regardless of whether or not their personal data was compromised in the attack.

Why it matters: This incident is a reminder of the potential for significant operational disruptions and the impact on patient care and safety due to a simple mistake. As cyberattacks on healthcare systems grow increasingly complex and frequent, the need for advancements in both technical defenses and employee education is more crucial than ever.

• Attack Origin: An Ascension employee accidentally downloaded a malicious file, inadvertently causing a ransomware attack on May 8, 2024. The incident disrupted IT operations across 140 hospitals, forcing a temporary switch to paper records.

• Data Breach: Hackers accessed and possibly stole files from 7 out of 25,000 servers. While some servers contained Protected Health Information and Personally Identifiable Information, the EHR and other clinical systems were not breached.

• Impact on Patient Care: Despite the significant disruption, Ascension managed to maintain care by reverting to manual processes to get patients the services or medication they needed, demonstrating the resilience and adaptability of healthcare providers during cyber crises.

• Historical Context: The attack on Ascension follows a troubling trend in healthcare, as it mirrors a similar ransomware incident involving Change Healthcare earlier in the year, which disrupted operations for hundreds of hospitals and clinics nationwide.

Go Deeper -> A ‘Mistake’ Allowed Hackers into Ascension’s IT System – Becker’s Hospital Review

Ascension Hacked After Employee Downloaded Malicious File – Bleeping Computer