Educational & easy-to consume visual guides to understanding attacks & enhancing resilience
Disclaimer: This document has been created with the sole purpose of encouraging discourse on the subject of cybersecurity and good security practices. Our intention is not to defame any company, person or legal entity. Every piece of information mentioned herein is based on reports and data freely available online. Cyber Management Alliance neither takes credit nor any responsibility for the accuracy of any source or information shared herein.
In May 2024, Ascension — one of the largest healthcare systems in the United States and the largest Catholic and nonprofit health system in the country — was hit by a major ransomware attack, which reporting attributed to the Black Basta ransomware gang. Ascension detected unusual activity on 8 May 2024 and took systems offline. The attack knocked out its electronic health records (EHR) system and the MyChart patient portal, forced several hospitals to divert ambulances, and pushed clinical staff onto manual paper-based workarounds for weeks. Attackers stole files from a small number of servers, some of which may have contained patient data. It became one of the most disruptive healthcare cyber attacks of 2024.
Ascension detected unusual activity on 8 May 2024 and took affected systems offline that day. On 9 May 2024, a US national security official publicly confirmed it was a ransomware attack. The disruption lasted around a month, with EHR access restored across Ascension's markets on a rolling basis through late May and June 2024 and full ministry-wide restoration targeted for 14 June 2024. Ascension filed an interim breach report with regulators on 3 July 2024.
Reporting attributed the attack to the Black Basta ransomware gang, though this was described as suspected rather than formally confirmed by Ascension. Around the same time, the FBI, CISA and HHS issued a joint advisory warning that Black Basta had targeted the healthcare sector and 12 of the 16 US critical infrastructure sectors, and had attacked at least 500 organisations globally between April 2022 and May 2024.
Ascension stated that an employee at one of its facilities accidentally downloaded a malicious file they believed was legitimate, which the company characterised as an honest mistake. Security reporting also linked the intrusion to the suspected exploitation of CVE-2024-1709, a vulnerability in ConnectWise's ScreenConnect remote-access software. The combination highlights how a single user action and unpatched third-party software can open the door to a major ransomware incident.
Ascension reported that attackers were able to take files from seven of its approximately 25,000 servers — machines used by associates primarily for daily and routine tasks. The company said some of those files may have contained Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, though the specific data varied from person to person. Importantly, Ascension said it had no evidence that data was taken from its EHR or other clinical systems, where full patient records are securely stored.
The impact on care was severe. With the EHR and MyChart systems down, several hospitals diverted ambulances, some non-emergent procedures, tests and appointments were paused, and clinicians reverted to handwritten notes, faxes, sticky notes and spreadsheets. Nurses reported dangerously long waits for test results and several near-miss medication errors. The disruption affected hospitals across multiple US states and prompted healthcare unions to demand stronger safety measures.
There is no report that Ascension paid a ransom; in the timeline documents the ransom-paid status is recorded as not applicable. Ascension focused publicly on investigation, restoration and recovery rather than any ransom negotiation, and no confirmed ransom demand or payment figure was established in reporting.
Downtime lasted roughly one month, with recovery of core systems taking close to four weeks. Ascension restored EHR access market by market on a rolling basis — beginning with its first market in late May 2024 and expanding through Florida, Alabama, Tennessee, Maryland, Central Texas, Oklahoma and other states in early June — and targeted full ministry-wide EHR restoration by 14 June 2024.
Ascension took systems offline, launched an investigation and activated remediation immediately. It engaged Mandiant and brought in additional experts from Palo Alto Networks' Unit 42 and CYPFER to support the rebuild. It notified law enforcement and government partners including the FBI, CISA, HHS and the American Hospital Association, and shared threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC). It also kept patients and clinicians updated through regular website and blog posts throughout the recovery.
Yes. Ascension notified the FBI, CISA and HHS, and on 3 July 2024 reported the breach to the HHS Office for Civil Rights (OCR) with an interim figure of 500 affected individuals — a common placeholder used under the HIPAA Breach Notification Rule when the true number is not yet known. Ascension confirmed this was an interim report and that an updated total would follow once its investigation and data review concluded.
The Ascension incident showed how a ransomware attack on a healthcare provider becomes a patient-safety event, not just an IT problem. The loss of EHR and medication systems directly endangered care across a system serving millions of patients, and a US national security official cited it as evidence that critical services which cannot be disrupted may need stronger regulation. It underlined healthcare's deep reliance on digital systems and the human cost when those systems fail.
The Ascension attack highlights several lessons: staff awareness training matters because a single accidental malicious-file download can trigger a system-wide crisis; third-party remote-access tools must be patched quickly; offline downtime procedures and clinical continuity plans are essential for healthcare and other critical services; and well-rehearsed incident response and crisis communication limit harm during prolonged outages. Cyber Management Alliance helps organisations build these capabilities through training, cyber crisis tabletop exercises and incident response planning.
We offer a host of courses including our NCSC Assured Training in Cyber Incident Planning and Response and our NCSC Assured Training in Building and Optimising Incident Response Playbooks.
Hands On, full-support 'Security As a Service', specifically designed for organisations that require access to experienced cybersecurity, governance, risk and compliance professionals.
A unique, affordable, subscription-based, cybersecurity service for small to medium businesses, offering 280+ services in cybersecurity.
Scenario-based, verbally-simulated tabletop attack exercises that test your organisation's ability to effectively respond to a cyber-attack.