Ascension systems face suspected attack

Ascension disclosed a suspected cybersecurity incident on May 8 after detecting unusual activity on its network, setting off system shutdowns that disrupted operations across one of the largest nonprofit health systems in the United States. The company said it took certain systems offline to protect patient information as it investigated the event. Reports at the time said clinical operations were affected, and some hospitals paused nonemergency procedures, tests and appointments. The disruption landed less than three months after the February 21, 2024 attack on Change Healthcare, a UnitedHealth Group unit whose outage rippled through claims processing, pharmacies and provider cash flow. At HIMSS 2024, Lee Kim, senior principal of cybersecurity and privacy at HIMSS, said the Change incident showed “no one is immune,” a phrase that has since become shorthand for the sector’s exposure to concentrated digital dependencies. (drugtopics.com) ### Which systems went down inside Ascension? Ascension said the suspected event forced it to shut down multiple technology systems across its network. Contemporary reports said the affected tools included electronic health records, the MyChart patient portal and some phone systems, leaving staff to work through manual processes while the company assessed the scope of the incident. (chiefhealthcareexecutive.com) Reuters reported on May 8, 2024 that Ascension advised business partners to temporarily disconnect from its systems. That step is common in incident response when an organization is trying to contain lateral movement or preserve forensic evidence, though Ascension did not publicly describe the exact attack path at that stage. (drugtopics.com) ### Why did this get attention beyond one hospital chain? Ascension’s scale made the outage consequential. Drug Topics described Ascension as one of the largest healthcare systems in the country, and HFMA said the organization had about 140 hospitals. When a network that large loses access to core systems, the operational effects can spread quickly across scheduling, intake, communications and routine care delivery. (marketscreener.com) The Change Healthcare attack had already heightened concern about single points of failure in healthcare administration. The American Hospital Association described that earlier breach as the most significant cyberattack in U.S. healthcare history, according to Chief Healthcare Executive’s coverage of the federal response. (drugtopics.com) ### What did cybersecurity observers say the episode showed? Lee Kim of HIMSS said after the Change attack that healthcare organizations needed better defenses because “no one is immune.” Steve Cagle, chief executive of cybersecurity firm Clearwater, told Chief Healthcare Executive that cyberattacks on healthcare were becoming more sophisticated and that cybersecurity should be treated as part of business strategy, not only as an IT function. (chiefhealthcareexecutive.com) Those comments matter because the first visible failures in a hospital cyber event are often front-door functions rather than back-office databases. Intake, scheduling, messaging, portals and phones are where patient access breaks down first when core systems are unavailable — an inference supported by the systems reported offline at Ascension and the operational disruptions described during the Change fallout. (chiefhealthcareexecutive.com) ### What happens next after a disruption like this? Ascension said in its public updates that it was working with law enforcement and industry partners while restoring systems. Organizations in this position typically move through containment, forensic review, staged restoration and, if data was accessed, later notification and regulatory disclosure, though those later steps depend on what investigators find. (hfma.org) Chief Healthcare Executive continued to cover healthcare cyber preparedness after HIMSS 2024, and Ascension’s own updates became the main reference point for restoration progress. The next concrete developments in cases like this usually come from company status statements, filings or breach notices naming what data, if any, was affected. (chiefhealthcareexecutive.com) (hfma.org)