Cyberattack hits Ascension, disrupts clinical operations

National hospital operator Ascension said a “cyber security event” has disrupted some of its clinical operations, according to a Thursday news release.

Ascension, a St. Louis-based nonprofit and Catholic healthcare network, announced it had detected “unusual activity” on some of its systems on Wednesday, according to the release. In response, the company kicked off an investigation and remediation efforts—including turning to outside cybersecurity firm Mandiant for help, as well as notifying the “appropriate authorities,” per the release.

“Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible,” the release said. “We continue to assess the impact and duration of the disruption.”

Ascension operates 140 hospitals and includes thousands of affiliate providers and associates across more than a dozen states and Washington, DC, according to the system’s website. The release did not specify which clinical operations the cyberattack had impacted, or how.

In some states, ambulances were instructed to take patients to different hospitals, and in others, patient record systems and medication-prescribing systems were affected, as well as IT services, according to reports from the Washington Post and CBS News.

The attack comes after Ascension reported a nearly $2.7 billion net loss in earnings during fiscal year 2023.

“Together, we are working to fully investigate what information, if any, may have been affected by the situation,” the release said. “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines.”

This makes Ascension the latest victim in a string of cyberattacks on healthcare companies. Repercussions are ongoing from the February attack on Change Healthcare, a major health tech company that handles patient payments and prescription processing across the US, and it has already cost providers millions of dollars and led to strife for some small physician practices.

In late 2023, an attack hit Ardent Health Services, a healthcare network with providers in six states, according to a news release. CommonSpirit Health also lost about $160 million in 2022 after a large-scale ransomware attack.