Sarah Volpenhein
Nearly 5.6 million people were affected in the ransomware attack that hit Ascension in May, the national health system now says.
Until now, the health system had not publicly disclosed the total number of people affected by the May ransomware attack that compromised patient data and ultimately caused major disruptions to patient care for more than a month, including at Ascension hospitals and clinics in Wisconsin.
As recently as Thursday morning, the U.S. Department of Health and Human Services' online list of data breaches reported only 500 people as having been affected by the cyberattack on Ascension. But as of Friday, the number had been updated to nearly 5.6 million people.
A Catholic health system headquartered in St. Louis, Missouri, Ascension has hospitals across more than a dozen states, including 17 hospitals in Wisconsin, as well as many clinics and other health care sites.
In notices issued Thursday, the health system said that on May 7 and 8, an unidentified "cybercriminal" stole copies of files containing personal information of patients and employees. The notices did not specify the amount of data compromised in the attack.
The compromised files included patient names and other personal information, including:
- Medical information, such as medical record numbers, dates of service, types of lab tests or procedure codes;
- Payment information, including credit card information and bank account numbers;
- Insurance information, including Medicaid or Medicare IDs, policy numbers or insurance claims;
- Government identification, including Social Security numbers, driver's license numbers and passport numbers;
- Other personal information, such as dates of birth and addresses
The type of information involved varies from person to person, the notices say.
In addition, Ascension disclosed the hack occurred on Feb. 29, according to Maine's state attorney general. Earlier this year, Ascension said that hackers gained initial entry to its computer systems when a worker accidentally downloaded a file with malware.
The breach was not detected until May 8, when Ascension medical providers lost access to patient medical records and to computer systems necessary to do their jobs.
The disruptions lasted for weeks. Patient appointments were cancelled; treatments were delayed; and health care workers waited hours or days longer than usual to get lab and test results back. Hospital workers were forced to rely on paper and other manual processes to order medical procedures, communicate across departments and keep track of patients' rapidly evolving conditions.
Cyber attacks on health systems could seriously affect patients
The ultimate impact of the ransomware attack on Ascension and its patients is unknown.
The disruptions caused by cyberattacks on hospitals can have severe consequences for patients' safety and may lead to worse care and higher mortality rates for patients, according to academic studies.
In recent years, hospitals and other health care providers — whose data is particularly sensitive and whose operations are especially critical — have increasingly become a target of cyber criminals looking to cash in.
Cyber criminals use ransomware to paralyze computer networks and extort a payment. Many also steal data for added leverage.
CNN reported earlier this year that the cyberattack on Ascension involved a type of ransomware called Black Basta, also the name of a group of cyber criminals thought to be an offshoot of a now-defunct Russian hacker group.
An Ascension spokesperson did not respond to questions sent by the Milwaukee Journal Sentinel on Thursday asking whether the health system paid a ransom and what its investigation found about the identity of the hackers.
Ascension is offering people affected by the cyberattack two years of credit and CyberScan monitoring, which searches the dark web for your personal information. Ascension also is offering ID theft recovery services through IDX.
For questions, people are directed to call a helpline for those affected by the ransomware attack at 866-724-3233, from 8 a.m. to 8 p.m. Monday through Friday. Those who wish to enroll in free online credit monitoring and identity theft protection services also are directed to call the helpline. The deadline to enroll is April 4.
Reuters contributed to this report.
No comments:
Post a Comment