Cyber Incident Victim: Ascension St. Vincent's Hospital

On August 15, 2022, Ascension discovered a ransomware attack targeting legacy computer systems associated with Coastal Cardiology, a practice it had recently acquired. The compromised systems contained protected health information of patients who had received care at Coastal Cardiology prior to its acquisition by Ascension. Upon detection, Ascension immediately secured the legacy network infrastructure, engaged a cybersecurity firm to investigate the incident, and reported the breach to law enforcement authorities. Despite these containment efforts, unauthorized actors successfully accessed and encrypted the legacy system, preventing Ascension from definitively determining the exact scope of compromised data. The investigation confirmed that no current Ascension systems were affected by the breach, as the attack was isolated to the inherited legacy environment.

The breach exposed sensitive patient information including full names, Social Security numbers, physical addresses, email addresses, telephone numbers, health insurance details, clinical records, and billing information. Ascension formally notified the U.S. Department of Health and Human Services Office for Civil Rights about the incident on October 14, 2022, classifying it as a data breach under federal regulations. That same day, Ascension St. Vincent’s Coastal Cardiology initiated notification letters to all affected individuals, advising them of the potential exposure of their personal and medical data. The notifications outlined the categories of compromised information but did not specify the number of impacted patients or the methodology used by the attackers. No evidence suggested misuse of the data at the time of disclosure, though the breach created significant risks of identity theft and financial fraud for former Coastal Cardiology patients.