Non-profit healthcare system Ascension Health is notifying over 100,000 people that their personal and health information was stolen in a third-party data breach.
The data was stolen after hackers exploited a vulnerability in third-party software that a former business partner was using. Ascension inadvertently exposed the compromised information to that business partner.
The organization says it learned of the data breach on December 5, 2024, which, given its description of the incident, suggests that it was linked to the Cleo hack that affected dozens of entities.
As part of the attack on Cleo’s file transfer platform, the notorious Cl0p ransomware group exploited two zero-day flaws to exfiltrate data from numerous organizations, including car rental giant Hertz Corporation and Western Alliance Bank.
Ascension, which runs one of the largest healthcare systems in the US, appears to have been affected as well, through the former business partner that it did not name.
In an incident notice this week, the organization revealed that personal and health information such as names, addresses, phone numbers, dates of birth, email addresses, Social Security numbers, diagnosis details, insurance information, and inpatient visit details were stolen in the attack.
Ascension is providing the potentially affected individuals with two years of free credit monitoring and identity theft protection services.
The organization did not say how many individuals might have been affected by the data breach, but said the stolen information pertained to patients at its locations in Alabama, Michigan, Indiana, Tennessee, and Texas.
Notices sent to Massachusetts and Texas authorities show that more than 114,700 people were affected. SecurityWeek has emailed Ascension for additional information on the incident and will update this article if a reply arrives.
Last year, Ascension disclosed a data breach that affected roughly 5.6 million individuals. The incident occurred in May 2024 and was said to be the result of a BlackBasta ransomware attack.
Related: 4 Million Affected by VeriSource Data Breach
Related: African Telecom Giant MTN Group Discloses Data Breach
Related: Blue Shield of California Data Breach Impacts 4.7 Million People
Related: 5.5 Million Patients Affected by Data Breach at Yale New Haven Health