Patient Emails, Dates of Birth, and SSNs Stolen: Business Data Breach at Ascension Exposes Over 430,000 Patients
- Jeff Wolff
- Sep 2
- 2 min read
By Jeff Wolff, Founder of Paradigm Business Solutions
In yet another alarming reminder of the vulnerabilities facing healthcare systems, Ascension, one of the largest private health systems in the U.S., confirmed that the personal and healthcare data of over 430,000 patients was exposed following a data theft incident in December 2024.
According to breach notification letters sent last month, the attackers accessed sensitive information, including names, email addresses, dates of birth, Social Security numbers (SSNs), phone numbers, and detailed medical records. The breach stemmed from a third-party vendor who fell victim to a vulnerability in their secure file transfer software—a pattern that continues to plague healthcare providers nationwide.
"Ascension’s breach is a stark reminder that no healthcare organization—large or small—is immune to cyber threats. Patient data is a prime target because of its long-term value on the black market." Jeff Wolff, Founder & CEO, Paradigm Business Solutions
Ascension’s internal investigation found that data was unintentionally disclosed to a former business partner and subsequently stolen due to a known zero-day vulnerability. While Ascension is offering affected patients two years of identity monitoring, the broader implications for medical practices are clear.
This is not the first incident for Ascension. In 2024, they disclosed a ransomware attack that affected nearly 5.6 million individuals, crippling operations, forcing a return to paper record-keeping, delaying procedures, and disrupting emergency services.
Healthcare Data: A High-Value Target
Patient data is among the most lucrative assets for cybercriminals. Medical records contain an unparalleled amount of personal information, enabling identity theft, insurance fraud, and phishing scams for years after the breach occurs. For medical facilities, breaches can also lead to costly fines under HIPAA, reputational damage, and operational downtime that impacts patient care.
Key Lessons for Medical Practice Managers
Incidents like Ascension’s demonstrate that data breaches don’t only impact large systems—they threaten businesses of every size. Smaller practices often have fewer resources for security, making them even more attractive to attackers.
To mitigate risks and catch breaches early, healthcare managers should prioritize:
Regular third-party security assessments: Vendors and partners can be the weakest link.
Zero-trust security models: Limit data access based on roles and monitor all connections.
Robust employee training: Human error remains a top cause of breaches.
Endpoint detection and response (EDR) tools: These detect suspicious behavior early.
24/7 threat monitoring and incident response plans: Rapid response is critical to contain breaches.
Ascension’s second major data breach in less than two years is a cautionary reminder for the entire healthcare sector that data security needs to be proactive, not reactive.
Comments