Cyber-attack Timeline: Ascension

Educational & easy-to consume visual guides to understanding attacks & enhancing resilience

Ascension Timeline Cover Ascension Timeline Summary

Download Our Educational Cyber-Attack Timeline: Ascension

Yet another crippling healthcare cyber attack. Ascension, one of the largest healthcare systems in the United States, detected unusual activity in May, 2024 and soon discovered that it was a victim of a major ransomware attack.   

The attack caused significant disruptions, including the unavailability of the electronic health records system (MyChart), which affected patient access to medical records and communication with providers. Some non-emergent procedures were paused, and several hospitals had to divert ambulances due to system outages. 

The attack raised concerns among healthcare workers and patients, particularly regarding the challenges faced due to the lack of access to electronic medical records. This situation prompted calls for enhanced safety measures from healthcare unions.

Learn all about how this attack unfolded, its detailed impact and recover and response measures that were taken in our detailed Ascension Cyber Attack timeline and summary image.  

Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.

  • ** GDPR ** We wholeheartedly believe your and our rights to privacy and in the GDPR. The bottom of the page explains how we use your data. 
  • Align with the GDPR requirements.
  • Increase your Breach Readiness.
  • Reduce your time to detect and respond.

Complete the form below to receive a copy of the detailed Ascension attack timeline document and summary.

cyber-essentials-certification
NCSC Certified Training B&W 300px
CSC

FAQs on the Ascension Cyber Attack

  • 1. What happened in the Ascension cyber attack?

    In May 2024, Ascension — one of the largest healthcare systems in the United States and the largest Catholic and nonprofit health system in the country — was hit by a major ransomware attack, which reporting attributed to the Black Basta ransomware gang. Ascension detected unusual activity on 8 May 2024 and took systems offline. The attack knocked out its electronic health records (EHR) system and the MyChart patient portal, forced several hospitals to divert ambulances, and pushed clinical staff onto manual paper-based workarounds for weeks. Attackers stole files from a small number of servers, some of which may have contained patient data. It became one of the most disruptive healthcare cyber attacks of 2024.

  • 2. When did the Ascension cyber attack happen?

    Ascension detected unusual activity on 8 May 2024 and took affected systems offline that day. On 9 May 2024, a US national security official publicly confirmed it was a ransomware attack. The disruption lasted around a month, with EHR access restored across Ascension's markets on a rolling basis through late May and June 2024 and full ministry-wide restoration targeted for 14 June 2024. Ascension filed an interim breach report with regulators on 3 July 2024.

  • 3. Who was behind the Ascension cyber attack?

    Reporting attributed the attack to the Black Basta ransomware gang, though this was described as suspected rather than formally confirmed by Ascension. Around the same time, the FBI, CISA and HHS issued a joint advisory warning that Black Basta had targeted the healthcare sector and 12 of the 16 US critical infrastructure sectors, and had attacked at least 500 organisations globally between April 2022 and May 2024.

  • 4. How did the attackers gain access to Ascension's systems?

    Ascension stated that an employee at one of its facilities accidentally downloaded a malicious file they believed was legitimate, which the company characterised as an honest mistake. Security reporting also linked the intrusion to the suspected exploitation of CVE-2024-1709, a vulnerability in ConnectWise's ScreenConnect remote-access software. The combination highlights how a single user action and unpatched third-party software can open the door to a major ransomware incident.

  • 5. What data was stolen in the Ascension breach?

    Ascension reported that attackers were able to take files from seven of its approximately 25,000 servers — machines used by associates primarily for daily and routine tasks. The company said some of those files may have contained Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, though the specific data varied from person to person. Importantly, Ascension said it had no evidence that data was taken from its EHR or other clinical systems, where full patient records are securely stored.

  • 6. How did the attack affect patients and hospital operations?

    The impact on care was severe. With the EHR and MyChart systems down, several hospitals diverted ambulances, some non-emergent procedures, tests and appointments were paused, and clinicians reverted to handwritten notes, faxes, sticky notes and spreadsheets. Nurses reported dangerously long waits for test results and several near-miss medication errors. The disruption affected hospitals across multiple US states and prompted healthcare unions to demand stronger safety measures.

  • 7. Was a ransom paid in the Ascension cyber attack?

    There is no report that Ascension paid a ransom; in the timeline documents the ransom-paid status is recorded as not applicable. Ascension focused publicly on investigation, restoration and recovery rather than any ransom negotiation, and no confirmed ransom demand or payment figure was established in reporting.

  • 8. How long was Ascension down and how did it recover?

    Downtime lasted roughly one month, with recovery of core systems taking close to four weeks. Ascension restored EHR access market by market on a rolling basis — beginning with its first market in late May 2024 and expanding through Florida, Alabama, Tennessee, Maryland, Central Texas, Oklahoma and other states in early June — and targeted full ministry-wide EHR restoration by 14 June 2024.

  • 9. How did Ascension respond to the attack?

    Ascension took systems offline, launched an investigation and activated remediation immediately. It engaged Mandiant and brought in additional experts from Palo Alto Networks' Unit 42 and CYPFER to support the rebuild. It notified law enforcement and government partners including the FBI, CISA, HHS and the American Hospital Association, and shared threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC). It also kept patients and clinicians updated through regular website and blog posts throughout the recovery.

  • 10. Did Ascension report the breach to regulators?

    Yes. Ascension notified the FBI, CISA and HHS, and on 3 July 2024 reported the breach to the HHS Office for Civil Rights (OCR) with an interim figure of 500 affected individuals — a common placeholder used under the HIPAA Breach Notification Rule when the true number is not yet known. Ascension confirmed this was an interim report and that an updated total would follow once its investigation and data review concluded.

  • 11. Why was the Ascension cyber attack so significant?

    The Ascension incident showed how a ransomware attack on a healthcare provider becomes a patient-safety event, not just an IT problem. The loss of EHR and medication systems directly endangered care across a system serving millions of patients, and a US national security official cited it as evidence that critical services which cannot be disrupted may need stronger regulation. It underlined healthcare's deep reliance on digital systems and the human cost when those systems fail.

  • 12. What can organisations learn from the Ascension cyber attack?

    The Ascension attack highlights several lessons: staff awareness training matters because a single accidental malicious-file download can trigger a system-wide crisis; third-party remote-access tools must be patched quickly; offline downtime procedures and clinical continuity plans are essential for healthcare and other critical services; and well-rehearsed incident response and crisis communication limit harm during prolonged outages. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.

We are industry experienced practitioners when it comes to cyber security training & cyber security consultancy services

1487652208_graduationcap

Training

We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.

1487652701_like

Virtual CISO Services

Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.

1487652784_calendar-3

Virtual Cyber Assistant

A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.

1487652846_microphone

Cyber Crisis Tabletop Exercises

Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.

1487652632_search

Ransomware Tabletop Exercise

Measure your organisation’s Ransomware Readiness with a unique blend of verbal and visual simulations and ransomware scenario walkthroughs.

1487652567_line-chart

Executive Cyber Awareness Sessions

Specially designed for executive management, CEOs and boards of directors, engaging them in a business context to help explain the threats and risks from cyber-attacks.

How we use your data:

  • The form above collects personal information so we may email you the requested information and pressing the "Get your free copy now"  button acts as informed consent for this processing purpose. Consequently we may be in touch to:

    • Update you when we host our ground-breaking Wisdom of Crowds events in your country or region.
    • Keep you posted on free resources and documents around Wisdom of Crowds events and its outputs. (For example, we tend to create insightful mind maps and we also are the creators of free to view Insights with Cyber Leaders Video Interviews. )
    • Ping you a note about upcoming FREE educational webinars on GDPR and Cybersecurity.
    • Inform you of any upcoming Data Breach Response or Cyber Incident Response training.  
  • Using the information from this page we will NOT sell or market to you any of our consultancy or trusted advisory services.  
  • In its purest interpretation, this act of us communicating with you is direct marketing and is processed on the basis of our legitimate interest and your engaging in our services. All marketing communication will include an unsubscribe button or other method of ending communication.