Ascension Health has begun notifying individuals of yet another data breach that exposed their personally identifiable information (PII) and sensitive health records. Notifications were sent out to patients starting April 30, 2025 — nearly six months after Ascension discovered the breach on December 5, 2024.

An official investigation concluded on January 21, 2025. It revealed that Ascension inadvertently disclosed data to a former business partner, and some of that information was likely stolen due to a vulnerability in third-party software used by that partner.

Ascension confirmed that the stolen data included sensitive personal information, such as:

  • Name
  • Address
  • Phone number(s)
  • Email
  • Date of birth
  • Race
  • Gender
  • Social Security number (SSN)

Additionally, the stolen data included clinical information, like service locations, admission and discharge dates, diagnoses, medical record numbers, insurance, and billing codes.

“Importantly, this incident did not involve Ascension systems, networks, or electronic health records,” Ascension clarified in its official statement. The breach impacted facilities and patients in Alabama, Michigan, Indiana, Tennessee, and Texas. The company also reported the incident to the Massachusetts Attorney General’s office.

Ascension is one of the largest private healthcare systems in the US. The Catholic non-profit operates in 19 states and employs over 142,000 people across 142 hospitals and 40 senior living facilities.

Although the full scope of the leak is still unclear, Ascension is offering affected individuals two years of complimentary identity monitoring services. It is also encouraging patients to check their credit reports and place a fraud alert as a precaution.

This incident comes less than a year after a catastrophic data breach that exposed the records of over 5.6 million patients, as reported by HIPAA.

Unfortunately, incidents like these have become increasingly common among healthcare providers using third-party vendors. We recently reported on the exposure of 8 million healthcare workers’ PII by a UK-based software company. Cybersecurity researcher Jeremiah Fowler also discovered an unprotected database containing over 4.8 million records linked to Care1.