Ascension Health, a Catholic health system headquartered in Missouri, has revealed multiple third-party data breaches that have emerged in 2025, affecting patients across its vast network of hospitals and care facilities. Each breach notification has been posted on Ascension’s website, including one related to the Change Healthcare cyberattack. Notably, all reported incidents occurred in 2024 or earlier, spotlighting the ongoing vulnerabilities in healthcare cybersecurity.
With a reach extending to 16 states and Washington, D.C., Ascension also endured a significant unrelated breach in May 2024, where a ransomware attack on its internal systems compromised approximately 5.6 million records. This incident serves as a grim reminder of the prevalent threats facing healthcare entities. A report by the Ponemon Institute and Imprivata, published in February 2025, highlighted that 44% of healthcare participants surveyed experienced a data breach or cyber incident linked to third-party network access over the previous year, underscoring the critical importance of third-party risk management.
Ascension discloses data breach tied to former business partner
The most recent breach impacting Ascension patients was disclosed on December 6, 2024, when the organization recognized that patient data might have been compromised due to a security incident involving a former business partner. Ascension, however, did not specify the identity of this partner in its public notification on April 28, 2025. By late January, Ascension confirmed that sensitive information had been inadvertently shared with this partner and subsequently exploited due to vulnerabilities in third-party software utilized by the partner.
The breach has affected patients associated with Ascension facilities in Michigan, Indiana, Alabama, Tennessee, and Texas, although the exact number of impacted individuals has yet to be reported on the HHS Office for Civil Rights (OCR) data breach portal. The compromised data included demographic details, Social Security numbers, and clinical information from inpatient visits. Importantly, Ascension noted that its internal systems, networks, and electronic health records were not involved in this incident.
In a statement, Ascension affirmed its commitment to improving protective measures to avert similar breaches in the future, indicating a proactive approach toward bolstering its cybersecurity posture.
Law firm hack impacts Ascension data
On April 14, 2025, Ascension reported another third-party data breach linked to the Missouri-based law firm Scharnhorst Ast Kennard Griffin (SAKG). Again, Ascension’s systems were not directly compromised. SAKG informed Ascension in February 2025 that unauthorized access had occurred, with sensitive data being viewed or extracted between July 17, 2024, and August 6, 2024.
According to the OCR’s data breach portal, the incident impacted 639 individuals and involved various forms of sensitive data, including demographic information, Social Security numbers, medical treatment details, medical record numbers, and patient account numbers. This event emphasizes that legal firms handling healthcare data can present substantial risks to patient privacy.
Telehealth company data breach affects Ascension patients
On March 3, 2025, Ascension issued a notice regarding a third-party data breach involving Access TeleCare, a telehealth provider working with Ascension Seton in Texas. Access TeleCare reported that unauthorized individuals accessed specific email accounts between November 6, 2023, and January 8, 2024, potentially downloading sensitive information. The company has since initiated an investigation, implemented security measures, and informed those affected.
The compromised email accounts included personal identifiers like names, birth dates, Social Security numbers, passport information, financial details, and treatment records. As with other incidents, Ascension confirmed that its internal systems remained unaffected.
Wound care management company discloses email breach
In February 2025, Ascension posted a notice about a data breach at Restorix Health, a service provider for wound care management at various Ascension facilities. This breach did not involve Ascension’s systems directly but did affect patient data due to unauthorized access to an employee email account from May 7 to May 29, 2024. Restorix only informed Ascension of the issue in December 2024, indicating lapses in timely breach reporting.
These ongoing incidents highlight the pressing challenges healthcare organizations face concerning third-party risk. The intertwining relationships with partner entities necessitate rigorous oversight and continuous improvement in cybersecurity frameworks to protect sensitive patient data. The propensity for data breaches, particularly through third-party access points, aligns with the MITRE ATT&CK strategies around initial access and exploitation of vulnerabilities in partner systems.
Jill McKeon has been reporting on healthcare cybersecurity and privacy matters since 2021.
