Written by : Dr. Aishwarya Sarthe
April 30, 2025
The breach, identified on December 5, 2024, was traced to a vulnerability in third-party software used by a former business partner.
Ascension Health has confirmed a patient data breach affecting care sites in Alabama, Michigan, Indiana, Tennessee, and Texas.
The breach, identified on December 5, 2024, was traced to a vulnerability in third-party software used by a former business partner. Ascension clarified that the breach did not involve its own systems or electronic health records.
The St. Louis-based healthcare provider disclosed the incident in a public statement issued Monday, April 30. The breach impacted sensitive patient information, including both demographic and clinical data.
“Some of that information was determined to have been ‘likely stolen’ due to a ‘vulnerability in third-party software’ used by the former partner,” said Ascension spokesperson Chris Hunt.
According to Ascension, the exposed data includes patient names, addresses, phone numbers, email addresses, dates of birth, race, gender, and Social Security numbers.
Additionally, clinical details such as inpatient visit data, physician names, admission and discharge dates, diagnoses, billing codes, and insurance information were potentially compromised.
“The exact type of information involved varied by patient,” Hunt noted. The internal investigation concluded in late January that specific information had been inadvertently shared with the former partner, leading to the potential breach.
In Michigan, Ascension operates four hospitals and 35 outpatient clinics, including Ascension Borgess Hospital in Kalamazoo.
Ascension offers two years of complimentary credit monitoring and identity theft protection services through Kroll. The package includes fraud consultation, identity theft restoration, and continuous credit monitoring.
“Affected patients have been provided with a guide on protecting their information and are encouraged to monitor their credit reports for any suspicious activity closely,” Hunt said.
Ascension has also reviewed its internal protocols and stated that it is implementing further security measures. “We are working to implement enhanced measures to prevent similar incidents from occurring in the future,” Hunt added.
A dedicated call center has been established to address patient inquiries. The helpline is available at 866-408-3556 from 8 a.m. to 5:30 p.m. CST, Monday through Friday, excluding major U.S. holidays.
This breach disclosure comes shortly after a separate development in Michigan, where Ascension announced the sale of its remaining hospitals and outpatient clinics in the state to Beacon Health System, an Indiana-based healthcare organization.