The healthcare industry has become a prime target for ransomware attacks in recent years. 

These malicious incursions, wherein an attacker encrypts sensitive files and makes them inaccessible until a ransom is paid, not only severely disrupt operations but also put sensitive patient data at risk. One of the latest victims is Ascension, a leading healthcare provider with 140 hospitals across the US, which suffered a devastating breach in May 2024. 

This blog post delves into what happened during the Ascension hack, the financial and reputational costs for the company, and how healthcare companies should approach patient data security in order to fend off attacks like these.

Get Our Latest Blogs Straight to Your Inbox

The Ascension ransomware attack: what happened?

On May 8, Ascension experienced a ransomware attack that locked providers out of systems that track and coordinate many aspects of patient care, including systems for some phones, electronic health records, and ones that are used to order medications and tests. 

The attackers also managed to infiltrate Ascension’s network, exfiltrating files that contained protected health information (PHI) and personally identifiable information (PII). 

The attack is believed to have been carried out by BlackBasta, a well-known ransomware attack group that has won itself more than $100 million via ransomware schemes from 329 organizations over the past two years.

The cost of leaked patient data

It is unknown exactly how many patients had their personal data exfiltrated, but the personal cost of data breaches to said individuals cannot be overstated. 

When patient data is leaked, it can lead to:

First-class lawsuits were filed by some hospital patients following the attack, alleging that Ascension failed to implement reasonable and appropriate safeguards, such as encryption, to protect the data it holds. The lawsuits allege that the plaintiffs’ protected health information is now in the hands of cybercriminals due to Ascension’s failure to ensure security, and that the plaintiffs and class members face an elevated risk of identity theft and fraud that will continue for numerous years to come.

Financial and reputational costs for Ascension

In addition to the serious repercussions to individuals, the financial and reputational impact of the ransomware attack on Ascension has also been considerable. 

The immediate costs of ransomware attacks include:

The reputational damage is equally significant. Trust is paramount in healthcare, and a breach can erode patient confidence, potentially leading to a loss of business and long-term harm to the brand.

The need for enhanced data security measures

The Ascension hack underscores the urgent need for healthcare organizations to fortify their cybersecurity defenses.

“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego. “These types of cybersecurity incidents should be thought of as a matter of when, and not if.”

Here are some key measures that healthcare companies should be implementing, if not already implemented:

As we’ve seen, ransomware attacks are grave matters, and healthcare companies must take immediate steps to protect themselves and their patients.

Unique Challenges of BYOD Workforces

As ransomware attacks have surged, the adoption of telehealth has also increased, leading to a rise in remote workforces and contractors. In response, many companies are adopting Bring Your Own Device (BYOD) policies, which provide flexibility and cost savings for remote workers and companies alike. However, this shift introduces unique cybersecurity challenges for healthcare organizations. Personal devices used to access sensitive patient data can become vulnerable entry points for cyberattacks if not properly secured.

Healthcare companies must address several key challenges when securing healthcare BYOD workforces:

How Venn can help secure patient data and maintain HIPAA compliance for BYOD Workforces

As many of Venn’s customers are healthcare companies, we understand the importance of securing PHI and PII through security measures. That’s why our Blue Border was built in meticulous alignment with HIPAA’s administrative, physical, and technical safeguards – so our healthcare customers can comprehensively comply with these standards and protect themselves and their patients against ransomware attacks.

Venn is the first purpose-built, patented technology for securing contractors and remote workers on personal or unmanaged devices. Similar to an MDM solution but for laptops – work lives in a company-controlled Secure Enclave installed on the user’s PC or Mac, where business activity is isolated and protected from any personal use on the same computer.

By utilizing Venn, healthcare companies like Ascension stand to protect themselves against the brutality of ransomware attacks, protect their patient data, and avoid the serious financial and reputational damages of such attacks. 

If you want to learn more about how Venn supports HIPAA, download our latest whitepaper.

Ronnie Shvueli

Ronnie Shvueli

Digital Content Marketing Manager

Responsible for steering Venn's digital narrative to new heights. I'm dedicated to crafting compelling content strategies that drive engagement and elevate brand stories.