Ascension Cyberattack: Electronic Health Records System Not Working, Some Elective Procedures ‘Temporarily Paused’

St. Louis-based Ascension, which operates 140 hospitals in the U.S., said in its latest update that it did not have a timeline for restoring its system.

Ascension, a health system with 140 hospitals and operations in 19 states and Washington, D.C. that said it suffered a data breach this week, said Thursday that its electronic health records system was “currently unavailable” and that it was pausing some non-emergency elective procedures at its hospitals “out of an abundance of caution.”

The nonprofit and Catholic health system said that on Wednesday it detected “unusual activity on select technology network systems.” In an update on Thursday, Ascension referred to the data breach as a “cybersecurity incident” and said that it was working “around the clock with internal and external advisors to investigate, contain, and restore our systems following a thorough validation and screening process.” The nonprofit had already said that it was using Mandiant to assist in the investigation and remediation process.

The St. Louis-based health system said in its latest update that it did not have a timeline for restoring its system.

In addition to its electronic health records system being unavailable, the health system said that its MyChart system wasn’t functional. MyChart allows patients to access their medical records and communicate with healthcare providers. Ascension said some phone systems and various systems to order certain tests, procedures and medications were also not working.

The health system was advising patients to bring appointment notes on their symptoms and a list of current medications and prescriptions numbers or prescription bottles “so their care team can call in medication needs to pharmacies.”

In addition, “Out of an abundance of caution... some non-emergent elective procedures, tests and appointments have been temporarily paused while we work to bring systems back online.”

Ascension says it has 134,000 associates, has 35,000 affiliated providers and operates 140 hospitals.

The latest cyberattack on a major healthcare system comes on the heels of other notable health sector data breaches.

In February, a cyberattack against a unit within UnitedHealth Group subsidiary Optum, Change Healthcare, led to major disruptions for U.S. pharmacies and patients, according to reports. The attack forced UnitedHealth to pay a $22 million ransom and admit that a lack of multifactor authentication on a Change Healthcare server enabled the attack to succeed.

In January 2023, Lehigh Valley Health Network in Pennsylvania was hit by a cybersecurity attack by the ransomware gang known as BlackCat. In that attack, more than 2,700 people reportedly were affected by the hack, which included the subsequent leak of nude photos and personal information of cancer patients.

Last month, the U.S. Department of Health and Human Services warned the health sector that threat actors were “employing advanced social engineering tactics to target IT help desks in the health sector and gain initial access to target organizations.” According to the alert, organizations should use Microsoft Authenticator with number matching and remove SMS as an MFA verification option, among other directives.