.png)
Ascension Health Ransomware 2024
Breach Summary
The Ascension Health ransomware attack of May 2024 was the most disruptive healthcare cyberattack in US history, forcing Ascension — one of the nation's largest nonprofit hospital systems with 140 hospitals across 19 states — to divert ambulances, cancel surgeries, revert to paper records, and take clinical systems offline for weeks. The attack demonstrated in the most consequential terms the patient safety implications of healthcare ransomware.
What Happened
Ascension detected the attack May 8, 2024, and immediately took clinical systems offline. For six weeks, 140 hospitals operated on paper-based workflows. Ambulances were diverted. Elective procedures and non-urgent appointments were canceled. Ascension disclosed in December 2024 that 5.6 million patient and employee records had been stolen, including medical records, payment information, and Social Security numbers. The Black Basta ransomware group was attributed as the attacker.
Attack Vector Detail
The initial access vector was a Ascension IT worker who accidentally downloaded a malicious file. The Black Basta ransomware group used that initial access to conduct reconnaissance, move laterally, and ultimately deploy ransomware across Ascension's clinical systems. Electronic health records, the MyChart patient portal, medication ordering systems, and other clinical technology were all taken offline.
Clinical staff across 140 hospitals were forced to revert to paper-based workflows that many had never used before. Paper orders, manual medication reconciliation, and handwritten nursing notes replaced EHR workflows that staff depended on completely. The transition produced medication errors and patient harm as a documented outcome of the attack.
Breach Pattern Timeline
May 8, 2024
Ascension — one of the largest U.S. nonprofit Catholic health systems with 140 hospitals across 19 states — detects unusual activity on its IT network. Activates incident response.
May 9-10, 2024
Ascension takes systems offline including electronic health records (Epic), patient portal, MyChart, lab and imaging systems, and pharmacy ordering. Reverts to paper-based clinical operations across the entire health system.
May 9, 2024
Black Basta ransomware group (Russia-aligned, Conti successor) suspected as threat actor. Confirmed shortly after via Microsoft and CrowdStrike attribution.
May 9 - June 14, 2024
Ascension hospitals operate on paper for ~5 weeks. Patient diversions occur (ambulances rerouted to other hospitals). Medication errors and care delays reported. Two patient deaths later linked to delayed care during the outage.
May 15-30, 2024
Initial cause traced to a contractor employee accidentally downloading malicious file. The contractor employee's compromised credentials provided initial access.
June 14, 2024
Ascension begins phased restoration of EHR systems. Full restoration of all systems takes additional weeks.
December 2024
Ascension confirms data exfiltration scope: approximately 5.6 million patients' protected health information exposed including medical records, insurance, billing, and SSNs.
2024-2025
Class action consolidation begins. HHS OCR investigation continues. Two confirmed patient deaths linked to outage drive renewed scrutiny of healthcare ransomware as patient safety issue.
2024-2026
Ascension-Black Basta case follows Change Healthcare (Feb 2024) as second consecutive massive U.S. healthcare ransomware in same year. Foundational precedent for healthcare ransomware patient harm framework and contractor credential security.
Total impact: 5.6 million patients' PHI exposed across 140 hospitals, ~5-week paper-based operations, two confirmed patient deaths linked to outage, foundational precedent for healthcare ransomware patient harm assessment and contractor credential risk.
Executive Lessons
The Ascension breach demonstrated that even large, well-resourced healthcare systems are vulnerable to ransomware that disrupts clinical operations at a scale that creates patient safety risk. The attack forced clinicians to revert to paper-based workflows for weeks, delaying diagnoses and treatments. For PE sponsors with healthcare portfolio companies, clinical system ransomware is not just an IT problem — it is a patient safety and regulatory risk that requires board-level attention and dedicated recovery investment.
Related Reading
Private Equity Implications
For PE sponsors with healthcare portfolio companies, Ascension established that healthcare ransomware financial impact can reach billions. Any healthcare portfolio company must have endpoint security, network segmentation, and clinical business continuity planning as baseline security investments — not future-state aspirations.