April 2025 Ascension Health breach affected 437,329, reports HHS

Health and Human Services disclosed May 9 that a recent Ascension Healthcare breach impacted 437,329 patients.

Ascension did not disclose the number of patients affected when it first reported the April 28 breach a couple of weeks ago. While it’s a much smaller number than the 5.6 million people affected by the May 2024 breach involving ransomware group Black Basta, security pros still considered it a significant incident.

The recent case underscored the need for healthcare agencies and all organization to refocus on third-party threats since Ascension admitted that data was stolen after the attacker exploited a vulnerability in software a third-party business partner was using.

The compromised information includes names, addresses, email addresses, phone numbers, Social Security numbers, and diagnosis and health insurance information.

“Healthcare relies on complex, fragmented ecosystems where third parties get privileged access to sensitive data without equivalent security controls,” said Nic Adams, co-founder and CEO of 0rcus. “The problematic recurring theme is indicative of vendors still operating legacy systems, where lacking endpoint visibility becomes the weakest link and exposes wide attack surfaces through unsecured APIs, unmanaged file transfers, and vulnerable VPN credentials.”

Adams said we keep seeing similar third-party incident to the Target hack in 2013 because the architecture never changed. Ascension was breached through vendor software in 2024, which is the same exploit class as the Target breach.

“Why does the industry still handle third-party risk like paperwork instead of adversarial entry points?” asked Adams. “What's missing is a zero-trust perimeter across vendor interfaces, real-time telemetry at the integration layer, and active red-teaming of partner connections. I guarantee almost no healthcare orgs have ever simulated a vendor-based breach. Yet, attackers simulate it daily.”

Agnidipta Sarkar, vice president and CISO Advisory at ColorTokens, added that what Ascension Health experienced should be a warning to all hospitals and should help the leadership to identify investments to protect from supply chain attacks.

“And not only hospitals,” said Sarkar. “If you remember the Sunburst supply chain attack in 2020 (SolarWinds), the impact was not only data leaks, it was far bigger including reputational damage and lost revenue.”

Marc Gaffan, chief executive officer of Ionix, pointed out that third-party software and components such as scripts and libraries that aren't under a security team's control can be the most problematic.

“It's incredibly difficult to secure what you don't own or even know exists,” said Gaffan. “That’s why visibility into every external asset, and validating which assets are actually exploitable are the keys to managing third-party vulnerabilities.”