Ascension in St. Louis, Missouri began sending notification letters to some patients concerning a security incident that happened at an ex-business partner. On December 5, 2024, Ascension found out about a hacking incident that a business partner experienced. The result of the investigation showed on January 21, 2025 that Ascension disclosed patient data to the ex- business partner, and data theft likely happened during the hacking. Ascension stated the hacking incident did not affect any system.
Scope of the last breach
A hacker exploited a vulnerability present in third-party software to acquire access to data stored by the ex-business partner. The data analysis showed that the data potentially stolen during the incident involved names, telephone numbers, email addresses, addresses, birthdates, race/gender, Social Security numbers, insurance provider, medical record numbers, and clinical data associated with inpatient consultations, which might have involved medical record numbers, service areas, discharge dates, physicians ’ names, and diagnosis and billing codes.
Ascension stated it checked its guidelines, procedures, and processes and will apply better safety measures to avoid the same incidents later on. The impacted individuals are former patients at Ascension centers in Alabama, Michigàn, Texas, ànd Tennessee. Ascension is mailing personal notification letters to the impacted individuals and providing free credit and identity theft protection services for two years.
The breach is not yet posted on the HHS’ Office for Civil Rights (OCR) breach website. Hence, the exact number of affected individuals is uncertain, but about hundred thousands of individuals are likely affected in several states, as per the notice sent to State Attorneys General. For example, the notification sent to the Texas Attorney General indicated that 114,692 Texas residents were impacted.
Ascension Reported Multiple Third-Party Breaches in 2025
Ascension likewise had announced three more third-party data breaches this 2025:
- The Scharnhorst Ast Kennard Griffin law firm data breach in the middle of April was reported to have affected 639 people, although the total number of affected clients is uncertain.
- The HIPAA-covered Access Telecare data breach in March was reported to have impacted the ePHI of 62,669 people
- The HIPAA-covered Restorix Health data breach in February was reported to have impacted the ePHI of 38,553 people.
All these data breaches involved the exposure of patient data, however, the breaches did not affect Ascension’s systems.
Regarding the Scharnhorst Ast Kennard Griffin data breach, Ascension mentioned that it happened from July 17, 2024 to August 6, 2024. The forensic investigation revealed that hackers viewed or stole sensitive information. The data likely exposed may have included these data elements:
- Name
- Telephone number
- Date of birth and death
- Race
- Social Security number
- Driver’s license or state ID card
- Medical treatment data including:
- Dates of services
- Medical condition
- Health history
- Procedure details
- Provider name
- Test or vaccine data
- Laboratory results
- Prescription details
- Medical insurance name and ID number
- Other identifiers including: Patient account number, Medical record number
The law firm is providing free credit monitoring services to the impacted individuals.
Image credit: logo©Ascension / Tondone, AdobeStock
