One of the US's largest hospital providers, Ascension, fired IT staff in a cost-cutting drive; now it’s sucking up a cyber attack

"Unusual activity on select technology network systems" causes nationwide medical chaos as doctors lose access to EMR.

One of the US's largest hospital providers, Ascension, fired IT staff in a cost-cutting drive; now it’s sucking up a cyber attack
The Ascension cybersecurity incident is affecting hospitals like 566-bed Sacred Heart in Pensacola, Florida.

One of the US’s largest hospital operators, Ascension, has been hit with a cyberattack that left staff unable to access critical systems like Electronic Medical Records (EMR) software – causing chaos in major US hospitals.

Confirming “unusual activity on select technology network systems, which we now believe is due to a cyber security event” Ascension said today (May 9, 2024) that it has engaged Mandiant* for incident response.

The Catholic non-profit said in a short note: “We responded immediately, initiated our investigation and activated our remediation efforts. Access to some systems have been interrupted as this process continues.” 

Local reports suggest impact in multiple states including Wisconsin, Texas, Oklahoma, Indiana and Michigan, whilst one doctor posted: “Paper forms? No one knew where they were or which ones to use for hours. I left still not knowing how to place lab orders, talked with dozens of people from lab to phlebotomy to management, no one knew.

“Everyone was running around trying to figure it out and doing their best but it took hours and multiple tries to get the right forms for an admission. The night resident still had to do more work to get it right. Still no answer on how to order labs,” posted Dr Natalie Sirianni on X.

Ascension is a sprawling entity that describes itself as a “Catholic national health system consisting primarily of nonprofit corporations that own and operate local healthcare facilities” including 140 hospitals in 18 states. 

Ascension has been on a major cost-cutting drive in recent years and posted a net loss of $2.7 billion for fiscal year 2023. This week’s cybersecurity incident comes three years after Ascension fired hundreds of IT staff and outsourced the roles to India. On Reddit after that decision, one purported former staffer commented “it needs to be publicly understood that trying to pull some lowest common denominator shit with your ENTIRE IT department is going to go up in flames.”  

In March 2024 meanwhile the company also said it was outsourcing all “hospitalist” roles to private equity-backed SCP Health. Medical directors, doctors, and nurse practitioners previously employed by Ascension will have to reapply for their jobs with SCP Health, according to Crain’s Chicago Business, which first reported the story earlier this year. 

The incident comes after healthcare tech and payments provider Change Healthcare confirmed that it had paid a $22 million ransom after an attack on its systems in February that will cause it over $1.6 billion in damages.

Change Healthcare said in Q1 earnings published in April that it had suffered "$872 million in unfavorable cyberattack effects" in the quarter alone. CFO John Rex said on an April 16 earnings call that "$595 million were direct costs due to the clearinghouse platform restoration and other response efforts.”

Ambulances are being diverted from Ascension hospitals this week as the company tries to get a grip on the crisis.

Affected in clinic or the IT trenches? Feel free to get in touch. Email or Signal.

See also: After CEO’s testimony, 3 vital lessons from Change Healthcare’s $1.6 billion ransomware attack