Decipher File · May 8 to June 14, 2024 EHR downtime
Ascension Health Ransomware (May 2024): Black Basta Took Down 140 Hospitals
Ascension, one of the largest non-profit Catholic health systems in the US with approximately 140 hospitals across 19 states, detected a ransomware attack on May 8, 2024. The Black Basta ransomware-as-a-service group was attributed in public reporting and CISA-FBI joint advisory AA24-131A issued May 10, 2024. Ascension took electronic health record (EHR) systems offline across the network for roughly six weeks, with the EHR fully restored on June 14, 2024. The initial access vector, per Ascension's December 2024 customer notification, was an employee inadvertently downloading malware to a corporate device. Approximately 5.6 million patients were affected per Ascension's June 2024 OCR breach notification. Patient safety incidents during the EHR downtime were documented in public reporting.
Incident summary
Ascension, one of the largest non-profit Catholic health systems in the US operating approximately 140 hospitals across 19 states and Washington DC, detected a ransomware attack on May 8, 2024. The incident took Ascension's electronic health record (EHR) systems offline across the network. The Epic EHR platform, which Ascension operates as its primary clinical documentation and order entry system, was unavailable to clinical staff for approximately six weeks. The EHR was fully restored on June 14, 2024 per Ascension's public statement of that date. During the downtime, Ascension reverted to paper-based documentation and order entry across affected hospitals.
Per Ascension's December 19, 2024 incident update, the initial access vector was an Ascension employee who inadvertently downloaded a malicious file to a corporate device. The update did not name the actor, but public reporting from May 2024 onward and CISA-FBI joint advisory AA24-131A, issued May 10, 2024, attributed the broader campaign category to Black Basta, a Russian-language ransomware-as-a-service group active since 2022 with documented healthcare-sector targeting. HHS HC3 issued a parallel Black Basta threat profile in mid-May 2024.
Patient safety impact during the EHR downtime was documented in public reporting from the Wall Street Journal, Associated Press, and trade publications. Specific reported incidents included medication errors due to paper-based order entry, delays in laboratory test results, ambulance diversions from affected emergency departments, and elective procedure postponements. Ascension nurses' union representatives at multiple affected hospitals publicly described safety concerns during the downtime. The patient-safety dimension of healthcare ransomware impact, while always present, was more visibly documented in the Ascension incident than in most prior healthcare ransomware events.
Attack technique
Per Ascension's December 2024 disclosure and CISA-FBI advisory AA24-131A on Black Basta TTPs, the technique chain began with phishing or malicious file delivery (T1566) and user execution of a malicious file (T1204.002) on a corporate device. The Ascension disclosure characterized this as an inadvertent employee action, which is consistent with the broader Black Basta affiliate pattern of using phishing and malvertising to deliver initial-access payloads. Common initial-access payloads in Black Basta operations include Qakbot, IcedID, and Pikabot, all of which fetch a Cobalt Strike beacon as the post-compromise framework.
Post-compromise, Black Basta affiliates use Cobalt Strike for command-and-control, then run reconnaissance with built-in Windows administrative tools and Active Directory queries. The affiliate playbook includes credential harvesting via Mimikatz, lateral movement via PsExec and WMI, and privilege escalation via known Active Directory misconfigurations. Persistence is established through scheduled tasks and service installations. The dwell time between initial access and ransomware deployment in Black Basta operations typically runs days to weeks, which gives defenders a detection window if the right telemetry and threat-hunting capability exist.
Ransomware deployment (T1486) is typically the final stage and runs during off-hours to maximize the encryption footprint before detection. Black Basta binaries disable volume shadow copies, modify backup catalogs, and where possible attempt to access and corrupt online backup repositories accessible from the compromised domain. The affiliate playbook also includes data exfiltration to attacker-controlled cloud storage prior to encryption (T1567.002), supporting the double-extortion business model where the actor demands ransom both for decryption and for non-publication of stolen data. Ascension has not publicly disclosed whether a ransom was paid or whether data was leaked on the Black Basta onion leak site.
The healthcare-sector targeting pattern of Black Basta and adjacent ransomware groups is operationally distinct from non-healthcare ransomware operations. Healthcare organizations have higher willingness to pay because of the immediate patient-safety consequences of EHR and clinical system downtime. The ransomware criminal market has documented this willingness and adjusted targeting accordingly. CISA-FBI advisory AA24-131A specifically called out healthcare sector targeting by Black Basta, and HHS HC3 issued parallel guidance in May 2024 on the healthcare-sector threat profile.
Impact and consequences
Patient-data impact reached approximately 5.6 million affected individuals per Ascension's June 2024 HHS Office for Civil Rights breach notification. The affected data categories included names, addresses, dates of birth, contact information, Social Security numbers for a subset of individuals, payment card data for a smaller subset, government identification numbers, and clinical and treatment information including medical record numbers and dates of service. The 5.6 million figure made the incident one of the largest healthcare ransomware breaches in 2024, second behind the Change Healthcare ALPHV intrusion in scope and ahead of most other healthcare ransomware victims for the year.
Operational impact during the six-week EHR downtime was severe. Ascension hospitals operated on paper-based clinical documentation and order entry, which is slower, more error-prone, and not scalable to high-volume emergency department and inpatient operations. Multiple Ascension hospitals diverted ambulances to nearby non-Ascension facilities during periods of the downtime. Elective procedures were postponed at affected hospitals. Pharmacy operations relied on paper-based medication reconciliation, which produced documented medication errors. Laboratory test result delivery was delayed, which produced documented diagnostic delays.
Financial impact was substantial. Ascension's Q3 fiscal year 2024 and full-year financial reporting recorded operational disruption from the cybersecurity event as a material item. The exact cost figure has not been publicly broken out, but Ascension's fiscal year 2024 operating loss expanded materially relative to prior-year expectations, with the cyber event cited as a contributing factor. The financial impact included direct remediation cost, lost revenue during the downtime, increased contractor and overtime labor cost, and the cost of patient notification and identity-monitoring services across 5.6 million affected individuals.
Regulatory and litigation consequence followed. HHS Office for Civil Rights opened a HIPAA breach investigation in June 2024. Multiple state attorneys general opened parallel investigations under state breach-notification and healthcare-data-protection laws. Class action litigation was filed in the weeks following the breach notification. The patient-safety dimension produced separate state department-of-health investigations at several Ascension state operations. The cumulative regulatory and litigation cost will extend through 2025 and beyond, with final settlement figures not expected until 2026 or later.
Indicators of Compromise
Specific artifacts defenders should hunt for. Cross-reference these against your existing detection rules before acting on them.
- › Initial access via an employee inadvertently downloading malware to a corporate device per Ascension's December 19, 2024 incident update
- › Black Basta ransomware deployment patterns documented in CISA-FBI joint advisory AA24-131A issued May 10, 2024
- › EHR systems offline across approximately 140 Ascension hospitals starting May 8, 2024
- › Use of Cobalt Strike beacons and remote management tools consistent with Black Basta affiliate playbook documented in HHS HC3 advisory
- › Volume shadow copy deletion and backup catalog tampering across affected hosts to inhibit recovery, consistent with Black Basta TTPs
- › Data exfiltration to attacker-controlled cloud storage prior to encryption, with subsequent leak-site posting on Black Basta's onion site
Lessons for defenders
Healthcare EHR availability is a patient-safety control, not just an IT availability control. Ascension's six-week EHR downtime produced documented patient-safety incidents. Build EHR availability protections accordingly: separate identity tiers for clinical system access, segmentation of clinical systems from corporate IT, offline backup tiers for clinical data, and tested business continuity procedures for paper-based fallback at scale. The Health Industry Cybersecurity Practices (HICP) reference documents from HHS and the 405(d) cybersecurity guidelines provide operational baselines for the healthcare sector specifically.
Initial access via phishing and malicious file delivery remains the dominant ransomware vector in healthcare. Ascension's disclosed initial access vector was an employee inadvertently downloading a malicious file. The realistic defensive posture is layered: phishing-resistant authentication that limits the impact of credential theft, endpoint protection capable of detecting Qakbot, IcedID, Pikabot, and equivalent initial-access loaders, and segmentation that limits lateral movement from a compromised employee endpoint. The CISA-FBI advisory AA24-131A indicator list provides specific detection material for Black Basta operations.
Backup integrity and offline backup tiers are the recovery control for healthcare ransomware. Black Basta binaries disable volume shadow copies and online backup catalogs as standard practice. Online backups accessible from compromised domain credentials are within the actor's reach. Offline, immutable, or air-gapped backup copies with independent authentication are the only reliable backup tier after a full domain compromise. Healthcare organizations relying solely on online backup tiers will experience full EHR downtime that runs weeks or months, as Ascension did. Invest in offline backup capability before the first incident.
Patient-safety incident documentation during EHR downtime should be pre-planned. Ascension's experience demonstrated that EHR downtime produces measurable patient-safety incidents. State health department investigations and litigation will require detailed documentation of those incidents. Pre-plan the incident documentation procedure for the downtime case: who records what, in what format, with what retention. The same pre-planning applies to ambulance diversion decisions, elective procedure postponement decisions, and pharmacy operations under paper-based fallback. Healthcare organizations that have not pre-planned these procedures will be making documentation decisions during the active incident, which is the worst possible time.
Related career roles
The cybersecurity professionals whose day-to-day work would have detected, investigated, or contained this incident.
Related Decipher Files
Tracking AI-system incidents and policy events? Browse Applied AI Decipher Files →
Frequently asked questions
What happened in the Ascension Health ransomware attack?
Ascension, one of the largest non-profit Catholic health systems in the US operating approximately 140 hospitals across 19 states, detected a ransomware attack on May 8, 2024. The incident took electronic health record (EHR) systems offline across the network for approximately six weeks, with full EHR restoration on June 14, 2024. Approximately 5.6 million patients were affected per Ascension's June 2024 HHS Office for Civil Rights breach notification. During the EHR downtime, Ascension hospitals reverted to paper-based clinical documentation and order entry.
Who was behind the Ascension ransomware attack?
Public reporting from May 2024 onward and CISA-FBI joint advisory AA24-131A, issued May 10, 2024, attributed the broader campaign category to Black Basta, a Russian-language ransomware-as-a-service group active since 2022 with documented healthcare-sector targeting. HHS HC3 issued a parallel Black Basta threat profile in mid-May 2024. Ascension's December 2024 incident update characterized the initial access vector as an employee inadvertently downloading a malicious file but did not formally name the actor in its public disclosure.
How did the ransomware get into Ascension's network?
Per Ascension's December 19, 2024 incident update, the initial access vector was an Ascension employee who inadvertently downloaded a malicious file to a corporate device. The pattern is consistent with the broader Black Basta affiliate playbook of using phishing and malvertising to deliver initial-access payloads including Qakbot, IcedID, and Pikabot, which then fetch Cobalt Strike beacons for post-compromise command-and-control. The dwell time between initial access and ransomware deployment in Black Basta operations typically runs days to weeks.
How many patients were affected by the Ascension cyberattack?
Approximately 5.6 million patients were affected per Ascension's June 2024 HHS Office for Civil Rights breach notification. The affected data categories included names, addresses, dates of birth, contact information, Social Security numbers for a subset of individuals, payment card data for a smaller subset, government identification numbers, and clinical and treatment information. The 5.6 million figure made the incident one of the largest healthcare ransomware breaches in 2024, behind only the Change Healthcare ALPHV intrusion in scope.
Did Ascension pay a ransom?
Ascension has not publicly disclosed whether a ransom was paid. The company's public statements through the incident focused on clinical operations, patient safety, and EHR restoration timeline rather than the financial transaction with the actor. Whether data was leaked on the Black Basta onion leak site has not been publicly confirmed by Ascension. The financial impact of the incident appeared as a material item in Ascension's fiscal year 2024 reporting but was not separately broken out from other operational disruption.
Were patients harmed during the Ascension EHR downtime?
Patient safety impact during the six-week EHR downtime was documented in public reporting from the Wall Street Journal, Associated Press, and trade publications, with Ascension nurses' union representatives publicly describing safety concerns at multiple affected hospitals. Specific reported categories included medication errors due to paper-based order entry, delays in laboratory test results, ambulance diversions, and elective procedure postponements. State department-of-health investigations at several Ascension state operations followed. Final adjudication of specific patient harm cases will run through 2025 and beyond in regulatory and litigation processes.
What can other healthcare organizations learn from Ascension?
Healthcare EHR availability is a patient-safety control, not just an IT availability control, and requires separate identity tiers, segmentation from corporate IT, offline backup tiers, and tested paper-based business continuity procedures. Initial access via phishing remains the dominant ransomware vector, requiring phishing-resistant authentication and endpoint detection capable of catching Qakbot, IcedID, Pikabot, and equivalent loaders. Offline backup tiers are the only reliable recovery path after a full domain compromise. Patient-safety incident documentation procedures during EHR downtime should be pre-planned, not improvised during the active incident.
Sources
- Ascension Cybersecurity Event Public Statements · Ascension's chronological public statements from May 8, 2024 through full EHR restoration
- Ascension December 19, 2024 Incident Update · Ascension's disclosure of the employee initial access vector and patient notification scope
- CISA-FBI Joint Cybersecurity Advisory AA24-131A: Black Basta Ransomware · May 10, 2024 federal advisory on Black Basta TTPs and the healthcare sector targeting pattern
- HHS Office for Civil Rights Breach Notification Database · HHS OCR breach disclosure for Ascension covering approximately 5.6 million affected individuals
- HHS Health Sector Cybersecurity Coordination Center: Black Basta Alert · HHS HC3 threat profile on Black Basta and healthcare-sector targeting
- Wall Street Journal: Ascension Cyberattack Disrupted Patient Care · WSJ reporting on patient safety incidents during the EHR downtime
DecipherU is not affiliated with, endorsed by, or sponsored by any company listed in this directory. Information compiled from publicly available sources for educational purposes.
This role lives inside a packaged path
Want the curriculum, comp delta, and recommended courses for this role?
DecipherU bundles cybersecurity roles into a small set of packaged paths. Each path has the curriculum sequence, the compensation delta it unlocks, and the recommended courses, all pre-set. Two ways in:
Where to go next
Three next steps depending on where you are. The first two are free.
Free · 2 minutes
Start with the AI Risk Score
Two minutes. Tells you how exposed your current role is to AI automation and which defensive moves carry the best return.
Start the AI Risk Score →Paid program · $147-$597
Aligned course: SOC Analyst Fundamentals
Capstone reviewed by the founder, published rubric, Ed25519-signed verifiable credential on completion.
View the course →Free account
Save your results and track progress
A free account stores your assessments, recommendations, and an exportable copy of your Career DNA. No card needed.
Create your account →Get cybersecurity career insights delivered weekly
Join cybersecurity professionals receiving weekly intelligence on threats, job market trends, salary data, and career growth strategies.
By subscribing you agree to our privacy policy. Unsubscribe anytime.