5.6 Million Medical Records Exposed: Email Addresses, Birthdates, and SSNs Stolen in Ascension Cyberattack

By Jeff Wolff, Founder of Paradigm Business Solutions

A ransomware attack on Ascension, one of the nation’s largest Catholic health systems, has left millions of medcial records exposed. The sensitive data was from nearly 5.6 million patients, it included names, email addresses, dates of birth, and Social Security numbers (SSNs). The breach is a stark reminder that no healthcare organization—regardless of size—is immune to cyber threats.

The incident began on February 29, 2024, but wasn’t discovered until months later, when providers across more than a dozen states—including 17 hospitals in Wisconsin—suddenly lost access to patient medical records and core systems. In the aftermath, patient care was significantly disrupted: appointments were cancelled, lab results delayed, and providers forced to rely on paper records for weeks.

Ascension confirmed that the attackers stole highly sensitive data, including:

• Medical information such as diagnosis codes, lab results, and medical record numbers

• Payment and insurance data, including credit card and bank account numbers, Medicare/Medicaid IDs, and policy information

• Government identification like driver's license and passport numbers

• Other personal identifiers, including dates of birth, home addresses, and phone numbers

The breach has now been linked to a known ransomware group using Black Basta malware—part of a broader trend of sophisticated, financially-motivated cybercrime targeting the healthcare industry.

Department of Justice Identifies Hacker Behind the Medical Records Exposed

In a major development, the U.S. Department of Justice (DoJ) recently announced that it has charged Rami Khaled Ahmed, a 36-year-old Yemeni national, in connection with the Ascension attack and others around the world. Ahmed is accused of deploying Black Kingdom ransomware—a precursor to Black Basta—against businesses, schools, and hospitals in the U.S.

According to the DOJ, Ahmed exploited the ProxyLogon vulnerability in Microsoft Exchange Server to gain unauthorized access, install ransomware, and extort victims. He now faces charges of conspiracy, intentional damage to protected computers, and making threats to damage protected computers. Ahmed is believed to be residing in Sana’a, Yemen.

"Security isn’t a product—it’s a culture."

This prosecution underscores that even international attackers can be identified and charged. However, law enforcement intervention comes after the damage is done—making proactive cybersecurity measures all the more critical for healthcare organizations.

What Medical Practice Managers Need to Review Today

If you manage a medical office, now is the time to assess your organization’s cybersecurity posture. Start with this checklist:

•Email Security - Are you using advanced spam filters and phishing detection?

•Endpoint Protection - Is every device protected with real-time antivirus & threat detection?

•Staff Training - Are employees trained to spot phishing and social engineering tactics?

• Data Backup & Recovery - Are your backups encrypted, tested regularly, and isolated from your live systems?

• Incident Response Plan - Do you have a clear, tested plan in place for cyber incidents?

• Third-Party Vendor Management - Are vendors required to meet your security standards?

• Patch Management - Are critical software updates applied promptly across all systems?

• Multi-Factor Authentication (MFA) - Is MFA enforced for all remote and privileged users?

The attack on Ascension shows that even well-funded health systems with robust infrastructure are vulnerable if any single point of failure—like a phishing email or an unpatched server—is exploited. don't leave your medical records exposed. For smaller practices, a breach of this scale could be financially and reputationally devastating.