More than 437,000 patients were impacted by a recently disclosed data breach, non-profit healthcare system Ascension Health told the US Department of Health and Human Services (HHS).
The incident did not involve Ascension Health’s systems, but a business partner to which Ascension inadvertently exposed patient data, the organization said roughly two weeks ago.
The data, Ascension said, was stolen after hackers targeted a vulnerability in third-party software the business partner was using.
Given the organization’s description of the incident and that it occurred in early December, it is likely that the information was stolen in the attack on Cleo’s file transfer platform, in which the Cl0p ransomware group exfiltrated data from multiple companies, including Hertz Corporation and Western Alliance Bank.
When disclosing the data breach, Ascension said that the information pertained to its locations in Alabama, Michigan, Indiana, Tennessee, and Texas, but did not share details on the number of potentially affected individuals.
However, a Friday update to the HHS’s data breach portal shows that the hackers stole the information of 437,329 Ascension patients.
The compromised information includes names, addresses, email addresses, phone numbers, Social Security numbers, diagnosis and health insurance information, and other details.
Ascension is providing the impacted people with 24 months of free credit monitoring and identity theft protection services.
While the number of affected individuals is significant, the incident pales in size when compared to the May 2024 data breach that Ascension disclosed after falling victim to a BlackBasta ransomware attack, which impacted 5.6 million people.
Related: 160,000 Impacted by Valsoft Data Breach
Related: Kelly Benefits Data Breach Impact Grows to 400,000 Individuals
Related: 4 Million Affected by VeriSource Data Breach
Related: African Telecom Giant MTN Group Discloses Data Breach