Cyberattack on Ascension Michigan, other sites, began with ‘honest mistake’

• In its latest ransomware update, Ascension said its systems were breached accidentally when an ‘individual’ working at a site downloaded what they thought was a harmless file
• The hospital system is offering patients free credit monitoring
• The cyberattack was first detected on May 8 and disruptions continue

The cyberattack that has hobbled Ascension hospitals in Michigan and elsewhere for more than a month was caused when an “individual” working at one of the Ascension sites “accidentally downloaded a malicious file that they thought was legitimate,” the Catholic health behemoth reported Wednesday.

“We have no reason to believe this was anything but an honest mistake,” Ascension reported.

The download enabled attackers “to take files from a small number of file servers used by our associates primarily for daily and routine tasks” — specifically seven of 25,000 servers — the hospital chain reported.

And that, in turn, put at risk files containing “Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals, although the specific data may differ from individual to individual,” the chain reported, noting “progress” in the investigation.

RELATED: 

• Ransomware update: Ascension can’t fill prescriptions at its Michigan pharmacies
• Ascension, owner of 15 Michigan hospitals, confirms cyberattack was ransomware
• Cyberattack forces Ascension hospitals in Michigan to reroute patients

As of Tuesday, Ascension had restored access to electronic health records in several states and regions. That included four Michigan sites within the Genesys (Flint area), Rochester, Saginaw, and Tawas City markets.

Beyond that, Ascension provided few details about the initial breach.

It’s not clear if the person who downloaded the files was staff, a contractor or a visitor doing work unrelated to the hospital systems, for example. And while Ascension has acknowledged the attack as “ransomware,” it has not said whether it paid the ransom, nor has the attacker or attacking organization been identified.

Ascension Michigan has repeatedly declined requests for Bridge interviews since the breach. Rather, it has updated patients through a national page here and a page for Michigan patients here.

It’s also unclear how long it may take to fully restore systems. Earlier this month, Ascension reported a “turning point in our response efforts” in Florida, Alabama and Austin markets.

Credit-monitoring offer

The St. Louis-based chain also sought to reassure patients that their personal information may still be safe, even as it extended an offer of credit monitoring services and identity theft protection services.

(Patients can enroll in the credit monitoring and identity theft protection services at 1-888-498-8066.)

“Importantly, we have no evidence that data was taken from our Electronic Health Records (EHR) and other clinical systems, where our full patient records are securely stored,” it said in its national update.

Ascension Michigan hospitals continue to face “ongoing disruption to normal systems” but offices and “care sites” remain open and “all scheduled appointments are proceeding as planned,” Ascension reported in a separate update for Michigan patients.

Patients “may encounter longer than usual wait times and some delays,” it reiterated, advising them to “bring notes on symptoms and a list of current medications, including prescription numbers or bottles.”

Some electronic health records and patient portals remain inaccessible, as well as some phone systems and systems used to order “certain tests, procedures and medications.”

Ascension has been forced to pivot from computers to paperwork at times after a cyberattack breached its systems May 8. That’s when Ascension “detected unusual activity on select technology network systems” — a cybersecurity event that later changed to the more specific term, “ransomware.”