Fraud Management & Cybercrime , Governance & Risk Management , Privacy

Worker-Downloaded Malware Caused Ascension Ransomware Attack

All Patients, Employees Offered Credit Monitoring While Investigation Continues
Worker-Downloaded Malware Caused Ascension Ransomware Attack
Image: Ascension

Ransomware attackers stole files from seven of Ascension's 25,000 servers after gaining access to the organization's network when an employee inadvertently downloaded a file containing malware, said the Missouri-based healthcare system.

See Also: Every Second Counts: 6-Step Ransomware Remediation Guide

Although the investigation is still ongoing, some of the files stolen in the attack on May 8 potentially contain patient and employee protected health information and personal identifiable information, Ascension said in an update on Wednesday about the incident.

"Specific data may differ from individual to individual," Ascension said. "Right now, we don't know precisely what data was potentially affected and for which patients. In order to reach those conclusions, we need to conduct a full review of the files that may have been impacted and carefully analyze them," Ascension said.

"While we have started this process, it is a significant undertaking that will take time. In the meantime, we are offering complimentary credit monitoring and identity theft protection services to any Ascension patient or associate who requests it, free of charge, and regardless of whether we determine in the future that their data was actually involved in this incident," the organization said.

Ascension added that it has no evidence at this time that any patient or associate is at risk of fraud as a result of this incident. Sources close to the Ascension investigation have said Russian-speaking ransomware group Black Basta was behind the attack, but Ascension has not publicly commented on that.

About a week after Ascension publicly disclosed the attack, several federal authorities in the U.S. - including the FBI, the Cybersecurity Infrastructure and Security Agency and the Department of Health and Human Services - issued advisories warning that hackers have used Black Basta ransomware to encrypt and steal data from at least 12 of the 16 critical infrastructure sectors, including healthcare.

As of last month, Black Basta affiliates have affected more than 500 organizations globally across many sectors, the warnings said (see: Feds, Groups Warn Health Sector of Black Basta Threats).

Ascension shut down electronic health records, pharmacy and other clinical IT systems across most of the 19 states where it operates its 140 hospitals and other healthcare facilities soon after discovering the incident (see: Impact of Ascension's Cyberattack Outage Varies by Region).

EHR access has been restored in most of the affected states, and the remaining regions are expected to be back online by Friday, Ascension said.

Ascension said Wednesday that it has no evidence that data was taken from its EHR or other clinical systems where "full patient records" are stored.

"We have also identified how the attacker gained access to our systems. An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate," Ascension said. "We have no reason to believe this was anything but an honest mistake."

"At this point, we now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks," Ascension said. "These servers represent seven of the approximately 25,000 servers across our network."

Although seven out of 25,000 servers sounds like a tiny portion of Ascension's IT environment, the impact depends on the volume and type of patient, employee and other sensitive data stored in that handful of affected servers, said Bryan Chnowski, deputy CISO of Nuvance Health, which operates seven hospitals and dozens of medical practices and care centers in New York’s Hudson Valley and Western Connecticut.

"Who knows what could be on those servers?" he said.

Also, the fact that Ascension is "essentially offering credit monitoring to everyone," whether or not a patient or employee is known to be affected, might indicate the company suspects the scope of the potential breach is wide, he said.

Ascension did not immediately respond to Information Security Media Group's request for additional details about the incident, including the types of servers affected and data contained on them.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.