U.S. healthcare provider Ascension has provided more details of its “cyber security event” last month, admitting that data was stolen, with some reports also suggesting that the Black Basta ransomware gang was behind the attack.

One of the largest nonprofit and Catholic health systems in the U.S. and also the second-largest operator of hospitals in the U.S. as of 2019, Ascension first disclosed that it had suffered a security issue on May 5. At the time, Ascension said the attack had disrupted clinical operations and was advising business partners to suspend their connections to the Ascension environment temporarily.

In a statement on Wednesday, Ascension said it had made progress in its investigation and recovery and it now has evidence that the attackers were able to take files from a small number of file services used by associates for daily and routine takes. Some of those servers were found to contain protected health information and personally identifiable information for certain individuals.

Ascension also disclosed that it had found the way the attack had gained access to its systems: An individual “working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate.” It said it has “no reason to believe this was anything but an honest mistake.”

The nonprofit added that, as of now, it doesn’t know exactly what data was potentially affected and for which patients. The investigation is ongoing.

Though Ascension didn’t disclose the form of attack, CNN, referencing four sources, reported last month that it was a Black Basta attack. Also indicating that it was likely Black Basta was a warning from the Health Information Sharing and Analysis Center on May 10 — two days after the Ascension attack — warning that Black Basta was actively targeting healthcare organizations.

A report released yesterday from the Threat Hunter Team at Symantec detailed how Black Basta is suspected of using a patched Windows flaw in recent cyberattacks. Although the report doesn’t name Ascension, that Black Basta, which first appeared in 2022, has been found to be highly active recently also gives credence to the idea that Ascension may have been targeted by the group.

Discussing the attack vector, Max Gannon, cyber intelligence team manager at phishing protection solutions company Cofense Inc., told SiliconANGLE that “unfortunately, it really only takes one person making an honest mistake.”

“This is why training is so critical. Basic cyber literacy is becoming more common, but truly instilling a sense of suspicion when it comes to online interactions and activities takes time and a serious investment on the company’s part,” Gannon added. “Ascension has responded well to the breach, keeping relevant parties updated and offering monitoring even for parties that were likely unaffected.”

Photo: Ascension