What Happened
On May 8, 2024, the Black Basta ransomware group attacked Ascension Health, one of the largest healthcare systems in the United States with approximately 140 hospitals and 40 senior living facilities across 19 states. The attack forced hospitals to divert emergency patients, postpone elective surgeries, and revert to paper-based record keeping for weeks.
Ascension later confirmed that attackers accessed protected health information of approximately 5.6 million patients, making it one of the most impactful healthcare ransomware attacks of 2024.
How They Got In
The attack began when an Ascension employee opened a malicious file attachment, believing it to be a legitimate document. The file deployed malware that gave attackers initial access to Ascension’s network.
Once inside, the attackers moved laterally through the environment, ultimately accessing 7 of Ascension’s approximately 25,000 servers. The compromised servers contained files with protected health information. Attackers exfiltrated data before deploying the Black Basta ransomware to encrypt systems.
Operational Disruption
The ransomware deployment caused immediate and severe operational impacts across Ascension facilities. Hospitals in multiple states diverted ambulances to other facilities because they could not safely accept emergency patients without access to electronic medical records.
Elective surgeries and non-urgent procedures were postponed while hospitals worked to restore systems. Clinical staff reverted to paper records for documenting patient care, significantly slowing operations. Pharmacies faced difficulties filling prescriptions without access to patient medication histories and allergy information.
Some Ascension facilities experienced disruptions lasting weeks. The attack demonstrated how ransomware against healthcare organizations creates patient safety risks beyond data theft.
Data Exposed
Ascension confirmed that attackers accessed protected health information including names, addresses, dates of birth, Social Security numbers, medical record numbers, treatment information, clinical data, and health insurance information. The specific data exposed varied by individual based on their interactions with Ascension facilities.
Financial Impact
Ascension reported a net loss of $1.1 billion for fiscal year 2024, with the ransomware attack contributing significantly to the loss. Costs included incident response and recovery, legal expenses, credit monitoring for affected individuals, and lost revenue during the operational disruption.
The organization also faced multiple class action lawsuits from patients and employees affected by the breach.
Black Basta Operations
Black Basta emerged in April 2022 and quickly became one of the most prolific ransomware operations, believed to be composed of former Conti ransomware members. The group operates a ransomware-as-a-service model and is known for targeting high-value organizations across healthcare, manufacturing, and critical infrastructure.
Black Basta typically gains initial access through phishing emails or exploiting vulnerabilities, then uses legitimate tools for lateral movement before deploying ransomware. The group practices double extortion, threatening to publish stolen data if ransoms are not paid.
Lessons Learned
The Ascension attack reinforced several critical lessons for healthcare cybersecurity. Email security and user training remain essential as phishing continues to be a primary initial access vector. Network segmentation can limit ransomware spread even after initial compromise. Incident response plans must include provisions for maintaining patient care during extended system outages. Offline backups and tested recovery procedures enable faster restoration of critical systems.
Healthcare organizations should assume they will be targeted and prepare accordingly with defense-in-depth strategies and practiced response procedures.