Ascension Health Ransomware Attack: Impact, Lessons, and How to Strengthen Cybersecurity

Ransomware attacks have a severe impact on healthcare, causing hospital patient volumes to drop by 17-26% in the first week and increasing in-hospital mortality by 35-41% for admitted patients. These cyber incidents disrupt critical systems, delay treatments, and put patient safety at risk.

In May 2024, Ascension Health, one of the largest non-profit healthcare systems in the U.S., experienced a major ransomware attack that crippled electronic health records (EHR), phone systems, and essential hospital operations. As digital tools become increasingly central to hospital operations, attacks like this show just how quickly a healthcare system can be crippled.

Let’s take a closer look at the full scope and lasting impact of the Ascension breach.

The Scope and Consequences of the Attack

Initially, Ascension reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) in July 2024, listing 546,931 affected individuals as a placeholder. However, by December 19, 2024, investigations confirmed that nearly 5.6 million individuals were impacted, making it the third-largest healthcare data breach of the year, after:

• Change Healthcare attack (100 million records compromised).
• Kaiser Foundation Health Plan breach (13.4 million records compromised).

The attack was linked to Black Basta, a Russian-speaking ransomware group known for targeting healthcare networks. The immediate impact included:

• Widespread disruptions across 140 Ascension hospitals in 19 states.
• EMS patient diversions, delaying emergency care.
• A month-long breakdown in lab tests, prescriptions, and medical procedures.
• Unauthorized access to sensitive patient data, with full details disclosed only months later.

In response, Ascension launched a new two-year credit monitoring program for affected individuals. Those who had enrolled in the previous package from July 2024 must sign up again to receive full coverage. Notification letters are being sent out and are expected to be completed by early January 2025.

This attack highlights the urgent need for more robust cybersecurity measures in healthcare. As Ascension worked to address the breach, the immediate impact on hospital operations was clear. Let’s take a closer look at how these disruptions affected daily practices and patient care.

Disruptions at Ascension: Doctors Forced to Rely on Manual Methods

According to the Detroit Free Press, Ascension employees first noticed issues with the hospital’s computer network around 7 a.m. on May 8, as reported by three workers who spoke anonymously.

A physician confirmed that the system was shut down due to a security concern, stating, “It’s affecting everything.”

Another doctor from Ascension Michigan described the extent of the disruption:

“We have to write everything on paper. It feels like the 1980s or 1990s—you go to the X-ray room to check films, call the lab for results over the phone. It’s much more cumbersome, but at least we are trained for situations like this.”

A different physician stressed the urgency of restoring the system, warning:

“I just hope this doesn’t last long because patient care will definitely suffer. Data shows that when computer networks go down, the risk of adverse events increases.”

In a statement, Ascension assured that affected individuals would be notified if any sensitive information was compromised, saying:

“Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”

The cyberattack forced hospital staff to revert to manual processes, significantly slowing down operations and raising concerns about patient safety and continuity of care. 

Who Was Responsible for the Ascension Cyberattack?

The May 2024 ransomware attack on Ascension Health was linked to Black Basta, a notorious cybercriminal group that has increasingly targeted healthcare organizations. While Ascension has not publicly confirmed the exact details of the attack’s origin, cybersecurity experts and federal agencies have attributed the breach to this Russian-speaking cybercrime group, known for its highly sophisticated ransomware tactics.

Who is Black Basta?

Black Basta emerged in early 2022 and quickly gained notoriety for its double extortion strategy—encrypting victims’ files while also stealing sensitive data to pressure organizations into paying ransoms. The group primarily targets large corporations and critical infrastructure, including hospitals, financial institutions, and manufacturing companies.

Security analysts believe that Black Basta is an offshoot of the defunct Conti ransomware group, a criminal organization that had close ties to Russian cybercriminal networks. Their attacks often exploit vulnerabilities in IT systems, weak employee credentials, and phishing campaigns to gain access to networks.

How Did the Ascension Attack Happen?

Ascension Health first detected “unusual activity” on its network on May 8, 2024, prompting an immediate shutdown of key systems to contain the breach. Employees reported losing access to electronic health records (EHR), lab and radiology systems, and other critical healthcare infrastructure.

While the exact entry point remains unclear, cybersecurity specialists believe that the attackers gained access through a phishing email or compromised credentials, which allowed them to deploy ransomware across multiple hospital systems. Black Basta’s attack methodology often involves stealthy infiltration, exfiltration of sensitive data, and rapid encryption of key files to cripple operations. 

The nature of healthcare systems makes them particularly vulnerable to cyberattacks. Understanding the reasons behind this can help us better grasp why they’re becoming prime targets for cybercriminals. Let’s take a closer look at these factors.

Why Healthcare is a Prime Target for Cybercriminals

The healthcare sector has become a top target for ransomware attacks due to several vulnerabilities. This latest incident follows the high-profile cyberattack on UnitedHealth and Change Healthcare, where hackers stole patient data and demanded ransom. UnitedHealth is still grappling with the aftermath, estimating losses of up to $1.6 billion.

The healthcare industry has become a prime target for ransomware groups due to:

1. High-value patient data – Medical records contain personal, financial, and insurance details, making them extremely lucrative on the dark web.
2. Urgency of hospital operations – Attackers know that hospitals cannot afford extended downtime, making them more likely to pay ransoms.
3. Legacy IT systems – Many healthcare providers still use outdated software with known vulnerabilities.

Given these factors, it’s no surprise that healthcare organizations are increasingly targeted. Now, let’s take a closer look at the real-world impact of the attack on Ascension and the disruptions it caused.

Impact of the Attack

The disruptions were severe:

• Hospitals had to revert to manual processes, using paper records for patient data and test orders.
• EMS diversions increased, delaying critical care for patients.
• Nearly 5.6 million individuals were affected, making it one of the largest healthcare data breaches of 2024.
• Financial losses were significant, with delayed billing cycles and operational slowdowns.

Doctors and hospital staff described the attack as “like going back to the 1980s or 1990s,” when digital systems were not yet standard. 

The Ascension Health Ransomware Attack: Operational Impact, Recovery, and the Need for Improved Risk Management

This incident underscores the rising cybersecurity threats in healthcare and highlights the importance of robust risk management, compliance, and incident response strategies to safeguard patient data and ensure hospital continuity.

1. Operational Disruptions and Impact on Patient Care

Unlike data breaches that primarily involve stolen information, ransomware attacks cripple hospital operations, directly impacting patient care and service delivery. The Ascension Health attack resulted in:

• Loss of Electronic Health Records (EHR): Medical staff lost access to patient histories, lab results, and medication prescriptions, leading to treatment delays.
• Ambulance Diversions: Hospitals had to redirect emergency medical services (EMS), delaying urgent care.
• Pharmacy Closures: Many in-house pharmacies were unable to process prescriptions, leaving patients without immediate access to critical medications.
• Manual Record-Keeping: Staff were forced to rely on handwritten medical notes, increasing the likelihood of miscommunication and errors.
• Delays in Lab and Radiology Services: Test orders had to be processed manually, slowing down diagnostics and patient treatment.

A Michigan-based Ascension physician described the impact:

“We had no access to medical records, no access to labs, no ability to place orders electronically. Everything had to be done on paper—it slowed everything down.”

For hospitals that rely on real-time data for patient care, these disruptions had serious consequences, particularly for critical and emergency patients.

2. Financial Consequences of the Attack

Beyond operational challenges, the ransomware attack worsened Ascension’s financial struggles, further straining an already fragile post-pandemic recovery.

• $1.1 Billion Net Loss: The attack contributed to a significant annual loss, exacerbating financial instability.
• Revenue Cycle Disruptions: The inability to process claims and payments resulted in cash flow challenges, requiring emergency funding from Medicare, Medicaid, and commercial payers.
• Increased Cybersecurity and IT Recovery Costs: Ascension was forced to allocate significant resources to incident response, third-party cybersecurity services, and system restorations.

Ascension had been working toward financial recovery following the COVID-19 pandemic, but the ransomware attack further delayed its efforts to stabilize operations.

Read: Cybersecurity Risk Avoidance: Proactive Strategies to Safeguard Your Organization

3. Data Compromised in the Breach

While Ascension initially downplayed the impact, later investigations revealed that attackers exfiltrated a wide range of sensitive patient and employee data, including:

• Personal Information: Full names, addresses, birthdates, Social Security numbers, and government-issued identification details.
• Medical Data: Hospital record numbers, test results, procedure codes, and treatment history (though full medical histories were reportedly not accessed).
• Financial and Payment Information: Credit card details, bank account numbers, and insurance claim data.
• Government and Insurance Identifiers: Medicaid and Medicare IDs, tax identification numbers, and policy details.

Ascension assured affected individuals that no full medical records were stolen, but the breach still exposed highly sensitive financial and identity data, increasing the risk of fraud and identity theft. Affected individuals were offered two years of free credit monitoring, but cybersecurity experts warn that stolen data can be misused for years in fraudulent activities.

4. The Black Basta Ransomware Group

The Black Basta ransomware group, believed to have ties to Russian cybercriminal networks, was responsible for the attack. Active since 2022, Black Basta is known for:

• Double Extortion Attacks: Encrypting files while also stealing sensitive data to pressure victims into paying ransoms.
• Targeting Critical Infrastructure: The group has attacked healthcare, finance, and manufacturing sectors with increasing frequency.
• Exploiting Phishing and Credential Theft: Most attacks originate from compromised employee credentials or phishing emails, allowing attackers to infiltrate networks.

Black Basta has a history of targeting healthcare institutions, making hospitals particularly vulnerable due to their reliance on continuous access to medical records and patient data.

5. The Need for Stronger Risk Management and Compliance in Healthcare

The Ascension ransomware attack is part of a larger pattern of cybercriminals targeting healthcare providers, as hospitals cannot afford extended system downtimes and hold valuable patient data.

Key vulnerabilities that make healthcare a prime target include:

• Operational urgency: Hospitals rely on real-time systems, making them more likely to pay ransoms to restore access quickly.
• Legacy IT systems: Many healthcare institutions still use outdated software, creating security gaps.
• Weak cybersecurity practices: Phishing attacks and poor access controls remain leading causes of breaches.

With this attack exposing critical vulnerabilities, it’s essential to understand what steps must be taken now to protect against similar incidents in the future.

Lessons from the Ascension Ransomware Attack: What Healthcare Must Address Now

The ransomware attack on Ascension Health exposed critical weaknesses in healthcare cybersecurity. It disrupted hospital operations, delayed patient care, and compromised records. This incident is part of a broader trend of cybercriminals targeting hospitals due to outdated security systems and the industry’s dependence on real-time data access. To prevent similar disruptions, healthcare organizations must move beyond reactive security measures and implement proactive cybersecurity strategies.

1. Cyber Risk is a Business Risk

Cybersecurity is often treated as an IT responsibility rather than a core business risk. The financial and operational fallout from this attack—ambulance diversions, system outages, and a $1.1 billion financial loss—shows why it must be prioritized at the highest level. To improve preparedness:

• Integrate cybersecurity into enterprise risk management strategies.
• View security investments as essential infrastructure, not optional IT expenses.
• Hold executive leadership accountable for cyber resilience, not just IT teams.

2. Strengthen Frontline Defenses

Most ransomware attacks gain entry through phishing emails, weak passwords, or unpatched software. These attack methods are preventable with the right measures:

• Implement Multi-Factor Authentication (MFA) across all access points.
• Conduct ongoing phishing simulations to strengthen staff awareness.
• Enforce zero-trust security, ensuring users only have access to what they need.

3. Backup and Recovery Must Be Reliable

During the attack, Ascension hospitals lost access to electronic health records (EHR), forcing doctors to rely on manual documentation. A robust backup and recovery strategy could have reduced this disruption. Key steps include:

• Maintain offline, encrypted backups separate from the primary network.
• Test disaster recovery plans regularly to ensure fast restoration.
• Implement redundant cloud-based systems for critical hospital functions.

4. Address Basic Cyber Hygiene

Healthcare organizations often focus on advanced security tools while neglecting basic vulnerabilities. Strengthening fundamental security practices is essential:

• Keep systems updated—legacy IT remains a major security risk.
• Segment networks—separate administrative, medical, and IoT systems to limit exposure.
• Monitor for unusual activity—early detection can minimize the impact of an attack.

5. Compliance Alone is Not Enough

Regulations such as HIPAA and HITECH set minimum security standards, but compliance does not guarantee strong cybersecurity. To stay ahead of threats:

• Go beyond compliance with real-time security monitoring and proactive risk management.
• Ensure third-party vendors meet strict security requirements.
• Adopt industry-leading cybersecurity frameworks such as NIST or ISO 27001 in addition to HIPAA.

6. Move Beyond Crisis Response

Ransomware attacks are no longer unexpected events—they are inevitable risks. Instead of reacting after a breach, healthcare organizations need to build cyber resilience into their operations. Key actions include:

• Making incident response planning a leadership priority.
• Implementing security-first policies when adopting new technology.
• Embedding cybersecurity into patient safety protocols.

The Ascension ransomware attack demonstrated how unprepared hospitals face serious consequences in downtime, financial losses, and patient safety risks. Cybersecurity must be treated as an essential function of healthcare, not a secondary concern. Healthcare organizations must act now to prevent similar disruptions and protect both patients and operations. ComplianceOps helps healthcare organizations manage compliance risks and prevent costly disruptions.

Final Thoughts

The Ascension cyber attack underscored the critical need for stronger cybersecurity in healthcare, exposing vulnerabilities that led to operational disruptions and compromised patient data. Hospitals must adopt proactive security strategies, strengthen risk management, and move beyond baseline compliance to ensure resilience against future threats. Cybersecurity is no longer just an IT issue; it’s essential to protecting patient care and maintaining trust in the healthcare system. Building a more robust risk management approach can help healthcare organizations address vulnerabilities and better prepare for future challenges. Utilizing advanced risk management frameworks, such as VComply RiskOps, can enhance an organization’s security posture and help stay ahead of evolving threats.

Try it with a 21-day free trial to explore how it can strengthen your security approach.