By Anthony Kimery

On Friday, an attorney for Ascension Health, a major U.S. hospital operator, wrote to Maine's attorney general to tell him the electronic personal health information (e-PHI) of Ascension patients and employees were compromised during the ransomware attack that occurred in May that affected nearly 5.6 million people.

The attack significantly disrupted Ascension's operations across its extensive network, encompassing 134,000 associates, 35,000 affiliated providers, and 140 hospitals in 19 states and the District of Columbia. Immediate consequences included the diversion of ambulances, closure of pharmacies, and a reversion to manual record-keeping methods as critical IT systems had to be taken offline.

Ascension attorney Sunil Shenoi said in his December 19 letter to the Maine Attorney General's Consumer Protection Division that the company "will begin notifying applicable Maine residents of the security incident" through the U.S. Postal Service.

Despite the growing scale of cyber threats against the healthcare industry, a Congressional Research Service (CRS) report earlier this month emphasized that "there is no comprehensive digital data protection law in the United States." Variable state data privacy and security laws compound this problem. Furthermore, while many data protection guidance documents are available, they are voluntary.

The attack on Ascension is the latest cyber-attack targeting the healthcare sector, which is particularly vulnerable due to the sensitive nature of patient data and the critical importance of uninterrupted medical services. Earlier this year there was a similar ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group that affected the personal health information of 100 million people, underscoring once again the escalating cybersecurity challenges healthcare providers face.

The February ransomware attack on Change Healthcare – attributed to the BlackCat cybercrime group – disrupted electronic payments and medical claims processing affecting healthcare providers and patients nationwide.

UnitedHealth CEO Andrew Witty told the House Committee on Energy and Commerce's Subcommittee on Oversight and Investigations in May that the cyber "criminals used compromised credentials to remotely access a Change Healthcare Citrix portal, an application used to enable remote access to desktops [which] did not have multi-factor authentication. Once the threat actor gained access, they moved laterally within the systems in more sophisticated ways and exfiltrated data. Ransomware was deployed nine days later."