Ascension Data Breach Exposes 480,000 Patients, Highlights the Need for Third-Party Risk Governance

Ascension, one of the largest private healthcare systems in the United States, revealed in breach notification letters sent in April 2025 that a December 2024 data theft at a former business partner exposed personal and protected health information of 437,329 patients. The compromised records included patient admission and discharge details, diagnosis and billing codes, medical record numbers, insurance information, and personally identifiable data such as names, addresses, contact details, dates of birth, demographics, and Social Security numbers.

Upon learning of the potential security incident on December 5, 2024, Ascension immediately initiated a forensic investigation and determined by January 21, 2025 that data had been inadvertently disclosed and was likely stolen due to a vulnerability in the third-party partner’s Cleo secure file transfer software. In response, Ascension is providing two years of complimentary identity-monitoring services—which include credit monitoring, fraud consultation, and identity theft restoration—and attributes the breach to the broader Clop ransomware data-theft campaign targeting file-transfer platforms. This incident follows a May 2024 Black Basta ransomware attack that impacted approximately 5.6 million of Ascension’s patients and employees, forcing the organization to revert to manual record-keeping and defer non-emergency care to maintain operational continuity.

The breach is a reminder of the imperative for healthcare organizations to enforce rigorous third-party risk governance and maintain continuous security monitoring across their partner ecosystems.

Read the full story here.