Cybercriminals stole files from hospital system Ascension that likely contained personal information, Ascension said in a statement Wednesday, about a month after revealing it had fallen victim to a ransomware attack.
Ascension said it now has evidence that the attackers took files from seven of the system’s 25,000 file servers. Ascension is still investigating but said it believes those files may contain protected health information and personally identifiable information for some individuals. The system does not yet know exactly which data was stolen or from which patients, Ascension said.
Ascension said it has no evidence that the attackers stole data from its electronic health records. The system said the attack occurred after a person working at one of its facilities accidentally downloaded a malicious file that the person thought was legitimate.
Ascension is offering free credit monitoring and identity theft protection services to any patient or employee who would like the services, and those who wish to enroll can call 1-888-498-8066.
Ascension is a nationwide health system with about 150 sites of care in Illinois, including 14 hospitals.
The system has said that it discovered the attack on May 8. The systems’ hospitals and clinics postponed some elective surgeries and appointments, and one Ascension Illinois hospital temporarily went on ambulance bypass, meaning ambulances were asked to take new patients to other hospitals.
A nurse in at least one of Ascension’s Illinois hospitals said, shortly after the attack, nurses couldn’t automatically see doctors’ orders for patients, such as for medication or tests, or use their usual procedures to ensure accuracy when administering medication to patients.
Ascension Illinois said earlier this week that it had restored the primary technology it uses for electronic patient documentation, which would allow hospitals and doctors offices to again document, chart and send orders electronically.
The incident at Ascension was one of the latest in a string of cyberattacks on health care institutions in Illinois and across the country. Lurie Children’s Hospital in Chicago was attacked in January, and University of Chicago Medical Center said in late May that the information of about 10,300 people may have been exposed in a phishing incident.
Cybercriminals often target health systems because of their size, their dependence on technology and the large amounts of sensitive data they hold, according to the U.S. Department of Health and Human Services.