The nation's largest Catholic health care system reported it experienced what it called a "cybersecurity incident" May 8, resulting in "a disruption to clinical operations." The cyberattack is part of a rising and dangerous criminal trend targeting the entire health care sector.
In a May 9 update posted to its website, Ascension said it had "detected unusual activity" in its network systems and was "working around the clock with internal and external advisors to investigate, contain, and restore our systems following a thorough validation and screening process."
The attack rendered unavailable Ascension's electronic health records system, along with "some phone systems, and various systems utilized to order certain tests, procedures and medications," according to the update.
Ascension said it had "temporarily paused" some nonemergency elective procedures, tests and appointments "out of an abundance of caution" while working to "bring systems back online."
"Due to downtime procedures, several hospitals are currently on diversion for emergency medical services in order to ensure emergency cases are triaged immediately," Ascension said.
"Safely caring for patients remains our highest priority as we navigate this cybersecurity incident," the health care system added. "We are actively supporting our ministries as they continue to provide safe, patient care with established downtime protocols and procedures, in which our workforce is well trained."
Ascension said it anticipated "utilizing downtime procedures for some time," and advised patients to "bring to their appointment notes on their symptoms and a list of current medications and prescription numbers or the prescription bottles so their care team can call in medication needs to pharmacies."
The health care sector is "particularly vulnerable" to cybersecurity attacks, according to the U.S. Department of Health and Human Services.
A recent HHS strategy report noted that health care facilities "are attractive targets for cyber criminals in light of their size, technological dependence, sensitive data, and unique vulnerability to disruptions."
Cyberattacks against health care systems are on the rise, according to the HHS, citing a 93% increase from 2018 to 2022.
HHS collaborates with the nation's Cybersecurity and Infrastructure Security Agency and Health Sector Coordinating Council Cybersecurity Working Group to strengthen defenses against such breaches.
The agencies collectively stress the need to be vigilant for attempts to gain unauthorized access to systems, denial of service (DOS) attacks lasting more than 12 hours, malicious code, email or mobile messages associated with phishing attempts, and ransomware targeting critical infrastructure.
Headquartered in St. Louis, the nonprofit Ascension was initially formed as Ascension Health in 1999 by the Daughters of Charity National Health System and the Sisters of St. Joseph Health System, joined by the Carondelet Health System in 2002.
Over the years, a number of health care organizations have joined Ascension, which now operates at more than 2,600 sites in 19 states and the District of Columbia.
Ascension's original sponsoring organizations were the St. Louise Province of the Daughters of Charity of St. Vincent de Paul, the Sisters of St. Joseph of Nazareth (now part of Congregation of St. Joseph), the Congregation of the Sisters of St. Joseph of Carondelet, the Congregation of Alexian Brothers and the Sisters of the Sorrowful Mother.
In 2011, the Vatican approved the creation of a canon law entity known as a "public juridic person" as the sole sponsor of Ascension, assuring the health care system "as a ministry will be sustained and strengthened over time, with both religious and lay persons serving as members," according to Ascension's website.