Ascension: 'Systems Are Being Restored' After Cyberattack

'While we expect this process will take time to complete, we are making progress and systems are being restored in a coordinated manner at each of our care sites,’ Ascension said in an update over the weekend.

Days after a ransomware attack paralyzed Ascension health system, shutting down its electronic health records system and forcing it to divert emergency care at some of its hospitals, the organization said this weekend its systems are being restored.

“While our restoration work continues in earnest, our focus is on restoring systems as safely as possible,” the St. Louis-based health system said in an update on Saturday that confirmed the ransomware attack. “While we expect this process will take time to complete, we are making progress and systems are being restored in a coordinated manner at each of our care sites. We will continue to share updates on our recovery process.”

Ascension also said that it was in close contact with the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), and “we are sharing relevant threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC) so that our industry partners and peers can take steps to protect themselves from similar incidents.”

[RELATED STORY: Ascension Data Breach: Health System Says Clinical Operations Disrupted]

The FBI told CRN in a statement that it was “aware of the situation” and declined to comment further. CRN has reached out to Ascension and CISA for further comment.

On Friday, CNN, citing four sources, reported that Ascension suffered a ransomware attack with signs that the Russian-linked Black Basta group was behind the data breach.

That same day, the H-ISAC sent out an alert to its health sector member organizations saying that Black Basta “has recently accelerated attacks against the healthcare sector.”

CISA, the Department of Justice and the Department of Health and Human Services that same day sent out an advisory detailing Black Basta, which it said is considered a ransomware-as-a-service variant and first identified in April 2022. Ransomware a service is a subscription-based model that allows affiliates to use predeveloped ransomware tools to execute ransomware attacks, according to security vendor Palo Alto Networks.

The group, according to authorities, not only executes ransomware but also exfiltrates sensitive data, operating a cybercrime marketplace to publicly release it should a victim fail to pay a ransom.

As of May 2024, Black Basta affiliates have impacted over 500 organizations around the world, according to federal authorities.

Previous victims of its attacks include Dish Network, the American Dental Association, business process services firm Capita and tech firm ABB.

Ascension, a nonprofit and Catholic health system with 140 hospitals in the U.S., said May 8 that it initially detected “unusual activity on select technology network systems.” Ascension referred to the data breach as a “cybersecurity incident” at the time and said that it was working “around the clock with internal and external advisors to investigate, contain, and restore our systems following a thorough validation and screening process.”

In addition to its electronic health records system being unavailable, the health system said that its MyChart system wasn’t functional. MyChart allows patients to access their medical records and communicate with healthcare providers. Ascension said some phone systems and various systems to order certain tests, procedures and medications were also not working.

Michael Goldstein, president and CEO of Fort Lauderdale, Fla.-based LAN Infotech, told CRN that with a cyberattack on a health sector-related organization, “there’s a lot of data that could go out there. If you think about when we go to a hospital or medical facility, all the information that we have to give them. When it causes some disruption, it becomes national. It kind of gets those attackers, if they leave a footprint, the publicity that they’re looking for.... I always look at healthcare and public utilities as big targets. This looks like a large number of hospitals that were affected from this group.”

The nonprofit had already said that it was using Mandiant to assist in the investigation and remediation process.

“It’s almost like déjà vu all over again,” Luis Alvarez, president and CEO of Salinas, Calif.-based Alvarez Technology Group, told CRN. “It looks like a mirror image of Change Health,” referring to the cyberattack earleir this year against a unit within UnitedHealth Group subsidiary Optum, which led to major disruptions for U.S. pharmacies and patients, according to reports. The attack forced UnitedHealth to pay a $22 million ransom and admit that a lack of multifactor authentication on a Change Healthcare server enabled the attack to succeed.

“It continues to happen in a number of industries,” Alvarez said. “Healthcare is more notable because impacts are felt much quicker. I do give Ascension credit for immediately informing their partners and saying, ‘Hey you might want to disconnect your systems from ours because we don’t know how far this is going.’ Unlike the Change Healthcare [attack] where there was a lot of fog of war-type stuff where people were wondering what’s going on, how this might be affecting us. I give Ascension credit for being very open and very transparent.”