Ascension, one of the largest U.S. healthcare systems, revealed that a May 2024 ransomware attack was caused by an employee who downloaded a malicious file onto a company device.

Ascension says this was likely an “honest mistake” as the employee thought they were downloading a legitimate file.

The attack impacted the MyChart electronic health records system, phones, and systems used to order tests, procedures, and medications, prompting the healthcare giant to take some devices offline on May 8 to contain what it described at the time as a “cyber security event,”

This forced employees to keep track of procedures and medications on paper, as they could no longer access patient records electronically.

Ascension also paused some non-emergent elective procedures, tests, and appointments and diverted emergency medical services to other healthcare units to avoid triage delays.

On Wednesday, it said that some of its services are still being impacted, and the healthcare system is still working on bringing some electronic health records systems, patient portals, and phone systems, as well as tests, procedures, and medication ordering systems online.

It also added that an ongoing investigation found evidence the threat actors only gained access to and stole files from seven out of thousands of servers on its network.

“At this point, we now have evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks. These servers represent seven of the approximately 25,000 servers across our network,” an Ascension spokesperson said.

“Though we are still investigating, we believe some of those files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, although the specific data may differ from individual to individual.”

However, Ascension says it has yet to find proof that the attackers stole data from its Electronic Health Records (EHR) and other clinical systems, which store the full patient records.

Ransomware attack linked to Black Basta

While the healthcare giant has yet to link the attack to a specific ransomware operation, CNN reported that the Black Basta gang is behind the incident.

Days after the attack, Health-ISAC (Information Sharing and Analysis Center) also issued a threat bulletin warning that Black Basta “has recently accelerated attacks against the healthcare sector.”

Since it surfaced in April 2022, Black Basta’s affiliates have breached the networks of many high-profile victims, including Rheinmetall, Capita, ABB, and the Toronto Public Library.

Joint research from Elliptic and Corvus Insurance also revealed the gang made over $100 million from 90+ victims until November 2023.

As one of the largest nonprofit health networks in the U.S., Ascension operates 140 hospitals and 40 senior care facilities, and it reported a total revenue of $28.3 billion in 2023.

Ascension also employs 8,500 providers and has 35,000 affiliated providers and 134,000 associates across 19 states and the District of Columbia.