Health Giant Ascension Informs 5.6 Million Patients Their Sensitive Data Was Compromised 6 Months Ago
from the this-is-why-we-can't-have-nice-things dept
Another day, another major privacy scandal we’ll likely do nothing about.
Health care giant Ascension — which owns 140 hospitals and assisted living facilities — says that a May cyberattack compromised the sensitive data of more than 5.6 million patients.
According to a filing with the Maine Attorney General and a December 19th post to the Ascension website, the attack occurred in May, but Ascension is just getting around to informing victims six months later. Compromised data included names, social security numbers, addresses, sensitive health information, Medicare/Medicaid data, payment information, and more.
But don’t worry, Ascension is offering users the now standard “free credit monitoring“:
“Ascension is now in the process of notifying affected individuals. The organization is also offering two years of credit and fraud monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. The services became effective last Thursday.”
I’ve been included in so many hacks I’ve literally lost track of the companies now offering me a year of free credit reporting. Often from credit reporting companies who are also curiously incapable of securing their networks and systems themselves.
There are a lot of moving parts here. Our for-profit healthcare system routinely cuts corners on cybersecurity, creating a field day for ransomware attackers. Our lax antitrust reform means health giants routinely prioritize giant, pointless mergers that misdirect attention away from cybersecurity (and health care). Then of course you’ve got a country that’s simply too corrupt to pass a privacy law.
These scandals keep happening because companies and executives see no real repercussions for failing to properly invest in security infrastructure. When there is regulatory action for lax privacy, it comes in the forms of piddly wrist slap fines that are often litigated down to a pittance.
The corner cutting required to deliver impossible, unlimited quarterly growth to Wall Street routinely has a sort of cannibalizing effect on public safety and product quality. This “enshittification” is particularly problematic when it touches health care.
Since the Supreme Court has effectively neutered the independence of most regulators, and with Congress too corrupt to pass even a baseline privacy law for the Internet era, you can expect nothing to change anytime soon. At least until there’s a privacy breach so massive, deadly, or high profile that the country is finally shaken out of its corrupt apathy.
At which point the biggest companies in America will get together to ghost write a useless modern privacy law primarily focused on legalizing incompetence, and making life harder on smaller competitors.
Filed Under: cyberattack, enshittification, hacked, health care, privacy, ransomware, security
Companies: ascension
Comments on “Health Giant Ascension Informs 5.6 Million Patients Their Sensitive Data Was Compromised 6 Months Ago”
Politicians when TikTok might be sending user data to China:
– “Sell it or we deport it!”
Politicians when US companies routinely collect, sell and lose user data:
– “…”
I hope John Oliver comes up with another data privacy scheme in his next season that will scare them a little. The last one evidently didn’t do anything.
This comment has been flagged by the community. Click here to show it.
Re:
In fact, many people are to believe that the people with the USERNAME strawb are stupid.
Re: Re:
Lots of people are talking about it.
Re: Re:
So, you are many, boring, people?
Re: Re:
Your schizophrenic multiple personas aren’t people.
Re: Re: Re:
It’s dissociative identity disorder, not schizophrenia that involves multiple personalities. Schizophrenia often involves auditory hallucinations, i.e. “hearing voices.”
Re: Re:
“are to believe that the people…”
You’re calling someone else stupid?!?
I concede it can make a helluva toaster but
Yeah call me a socialist if you want but I don’t think the profits uber alles mindset of the marketplace belongs in healthcare.
Or education, either, while we’re at it.
I’m guessing the “Free Credit Monitoring” does not last forever and eventually turns into a monthly charge if you let it.
Also speculation on my part that the credit monitoring folks seek expansion of their business opportunities. They might even stage some fake security breaches in order to sign up new potential paying clients.
idk, seems that wild speculation eventually turns into headline news.
Re:
As someone how cashes in on these free years, I am not required to provide a payment method to sign up for my free year. This is not a scam to sneak in subscription revenue. Hell, my last free year of experian ended and the account was closed without me noticing. (The score and data offered was presented better by credit Karma, and any premium features weren’t useful to me).
However, while there is no subscription grift, there is a grift. They offer add-on services, referral services, and want you to manually add to their honey pot of data on you for the next time they are breached. They are absolutely profiting on that ‘free year’.
Um… they did? How is HIPAA not relevant in this case? Tell me there are loopholes, or that the specific regulators are toothless (you mentioned it only in a general sense), and I’ll believe you, but don’t say there’s no law about health data.
There are some general state privacy laws like CCPA that could apply. Maybe GDPR will apply if some of the people have European citizenships or received medical care in Europe. Passing a general U.S. federal privacy law should be a priority, but we shouldn’t be so defeatist.
(I was just thinking, before I saw this story, about “virtual” medical clinics, involving video calls to doctors. I’m thinking those videos will eventually leak.)
This just helps perpetuate the idea that the person whose name was dropped is the victim of the fraudster. They’re not; they’re the victim of the bank or whoever’s trying to collect a loan the person never asked for or got.
Like, if I lend Pat $20 for lunch thinking it’s Chris, that’s really not Chris’s problem. Somehow people think it’s different if $20,000 is involved.
Ascension shouldn’t be offering monitoring; they should be offering full indemnification. Meaning if I see some fraudulent loan under my name, I’ll mail the documents to Ascension and say “I don’t wanna hear about no motherfuckin’ ifs! All I wanna hear from your ass is, ‘You ain’t got no problem. I’m on the motherfucker.'”
Sure, seems perfectly safe
Let’s let the company that lost our private and medical information access to all our financial information as well…
Nothing could go wrong here, amirite?
In 2024, there were 180 million disclosures. Since record-keeping began in 2009, there have been roughly 700 million disclosures.
The 1996 HIPAA regulations recognized the risk of exposure, charged Health & Human Services with policing that risk, and gave them the power to assess fines for such disclosures. The Office of Civil Rights (OCR) within HHS has this responsibility.
If the first such disclosure had resulted in a financial penalty that put the responsible company into bankruptcy and subsequent penalties were of the same or greater magnitude, we wouldn’t have this problem (or the national debt would be a few billion dollars lower).
Cybersecurity is difficult and expensive, but it isn’t impossible. If HHS/OCR did its job, excellent cybersecurity would be much less expensive than exposing personally identifiable medical data. At this point, we should just shut down OCR, admit failure, and give up on any possibility of keeping personal data private. Congress sold our data in exchange for campaign contributions, and we have no choice but to deal with the consequences.
Re:
I agree with pretty much everything here, except:
As a 32 year old with my life ahead of me, even with the troubles I’ve had so far: please stop with the “let’s just give up on fixing things” line. It’s never gotten anyone anywhere and is poisonous to society at scale, and I’m done with choosing to tolerate it when I can call it out.
Re:
One: If the first such disclosure had resulted in a financial penalty that put the responsible company into bankruptcy and subsequent penalties were of the same or greater magnitude, we wouldn’t have this problem (or the national debt would be a few billion dollars lower).
That’s not a sufficient punishment. It must also result in the confiscation of the personal assets of every Cxx-level executive at the company, including their real estate, cars, bank accounts, brokerage accounts, retirement accounts, everything. Otherwise they’ll simply go somewhere else and do it again, because there are always job openings for Cxx types to fail upwards.
Two: Cybersecurity is difficult and expensive, but it isn’t impossible.
I spent a dozen years managing a VERY large set of medical and prescription databases. There were no security incidents (that I’m aware of, and I was watching everything very carefully, and I had honeypots, logging, alarms, etc. in place to detect attempts). And in the end I was pseudo-fired (my contract wasn’t renewed) because I refused to do stupid things that management wanted done — stupid things that would have impacted the security and integrity of the operation. I was replaced by an ignorant noob (from a bodyshop, therefore much more expensive than me) who managed, within just a few months, to crash the production network for several days and lose the encryption keys for all the backups.
My point in reciting this unfortunate history is to point out that the biggest obstacle to properly securing medical (or financial or whatever) information is management. It’s always management, because they’re stupid, illiterate, and uneducated, and thus not only unable to comprehend what needs to be done, but unable to see through “solutions” that are no such thing — they’re just horribly overpriced flavor-of-the-moment vendor bullshit. And they don’t need to, because when something goes wrong they never, EVER, wind up being held accountable for it.
Agree with pretty much everything Bode said until I came here, and while I don’t disagree, I also feel like I should comment on it because I’ve noticed a trend.
I’ve noticed a thin, faint current of despair trickling into Bode’s writing on Techdirt and on BlueSky as of late. It’s completely understandable given the current moment — I’ve had my share and so have many of my friends — but I hope Bode is aware of it. He’s the very last person I ever want to see give up the fight.
This comment has been flagged by the community. Click here to show it.
Re:
stop being so defeatist all the time, or ill call you a troll.
Re: Re:
He wasn’t being defeatist, he was pointing out something.
This comment has been flagged by the community. Click here to show it.
Re: Re: Re:
What do you think defeatism is…?
Re: Re: Re:2
🤷
Re: Re: Re:2
Defeatism is, to paraphrase a recent Linkin Park song, waving your white flag when—or even before—the war begins. It is acting as if everything will always be hopeless forever, so no one (but especially the complaining party) should ever try to fight. Someone pointing out how some aspect of the world sucks is not, in and of itself, defeatism. That same someone acting like change is impossible and waiting for the worst possible outcome to happen so they can be correct is defeatism. On a long enough timeline, a defeatist will alienate everyone but fellow defeatists (and even that’s not assured) with their eternal pessimism and learned helplessness. That won’t be ideal for the defeatist when they need help, but that’s their problem, and they’re the only one who can solve it.
Re: Re:
How am I defeatist? I’m trying to tell Bode that he shouldn’t give up the good fight! I thought that was clear from what I said!
Re: Re: Re:
Nah, you were 100% clear. The person responding to you just can’t read.
Re: Re:
You can read the more nuanced and thoughtful posts, but i’lljust say: Shut the fuck up already. Your shit is worse and more pointless than the share-my-worry bots (of whom the above is not one; wtf even is your mental calculus here?).
Re: Obviously...
Maybe he was aware, but realized that would most likely happen, regardless.
Or maybe he wasn’t. 🤷
(I was gonna reply to you)
Re: Re:
To be clear, I’m talking about a broader trend I’ve noticed, and I’m not criticizing Bode for having that emotion.
I’m trying to give him assurance and encouragement to fight despite that emotion. His work is important, and the last thing I want to see is him giving up on it.
Re: Re: Re:
You were perfectly reasonable
Re: Re: Re:
I’m just assuming, but I can see your point.
Obviously...
Maybe he was aware, but realized that would most likely happen, regardless.
Or maybe he wasn’t. 🤷