Ascension, a major hospital system, has confirmed that cyberattackers were able to exfiltrate files from a handful of its servers, a revelation following a cyber intrusion first detected in May. According to a report by KVUE, the attackers targeted servers "used by our associates primarily for daily and routine tasks" and although the servers in question were only seven out of approximately 25,000, sensitive data might have been compromised. The potentially accessible data includes Protected Health Information (PHI) and Personally Identifiable Information (PII).
The breach reportedly originated from an employee who inadvertently downloaded a malicious file believed to be safe. This error allowed hackers to infiltrate the network and potentially access private health information, Ascension stated in a release covered by Fox 2 Detroit. To fully ascertain the breadth of the data affected, the healthcare provider anticipates having to carefully sort and analyze the impacted files, which is a process likely to require considerable time to execute properly.
Despite the chaos induced by the attack, there is currently no indication that patient data from Electronic Health Records (EHR) or other clinical systems were accessed, these systems being where fuller patient records are securely maintained. Ascension has relayed this information in a bid to allay fears of a more extensive data breach.
In an effort to mitigate potential harm resulting from this incident, Ascension has moved to offer complimentary credit monitoring and identity theft protection services to any concerned patient or associate. Interested parties are encouraged "to take advantage of these services," as reported by KVUE. These services can be activated by calling a dedicated call center at 1-888-498-8066, though Ascension has clarified that this gesture does not equate to confirmation of compromised individual data but is a proactive measure to reassure and support its patients and staff.
The full impact of the cyberattack and the list of potentially affected individuals remain undetermined at this stage. Ascension has committed to proper notification of any affected parties in compliance with applicable laws and regulations once their investigation concludes. In the meantime, patients and associates with concerns about their personal data have been advised that Ascension is "not able to answer those questions on an individual basis," as they disclosed to Fox 2 Detroit.
