AUSTIN, Texas — Ascension now says cyberattackers who targeted the hospital system in May were able to take files from a small number of servers.
In an update on June 12, Ascension said it is continuing its investigation and, at this point, it now has "evidence that indicates that the attackers were able to take files from a small number of file servers used by our associates primarily for daily and routine tasks."
Ascension said those servers represent seven of the approximately 25,000 servers across its network. Although Ascension said it's still investigating, it believes "some of those files may contain Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, although the specific data may differ from individual to individual."
Ascension also said it has identified how the attackers gained access to its systems.
"An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate," the hospital system said. "We have no reason to believe this was anything but an honest mistake."
Ascension said at this time, it has no evidence showing data was taken from its Electronic Health Records (EHR) and other clinical systems, where its full patient records are "securely stored."
The hospital system said it doesn't currently know exactly what data was potentially affected and for which patients. Conducting a full review of possibly impacted files will take time, Ascension said.
In the meantime, the hospital system is offering complimentary credit monitoring and identity theft protection services to any patient or associate who requests it. Those who wish to enroll in these services, free of charge, can call Ascension's dedicated call center at 1-888-498-8066.
"We encourage all Ascension patients and staff who are concerned to take advantage of these services. We want to be clear, however, that this offer does not mean we have determined that any specific individual patient’s data has been compromised," Ascension said. "Rather, it illustrates our desire to do everything possible to reassure our patients and associates, regardless of any impact to specific individuals’ data."
Ascension also noted that while it understands patients and associates may have questions about their data, including whether it was impacted by the cyberattack, at this point, it is "not able to answer those questions on an individual basis." Ascension said once its data analysis is complete, it is committed to "following all applicable laws and regulations to notify affected individuals and the appropriate regulatory bodies."