Ascension discloses multiple third-party data breaches

Ascension discloses data breach tied to former business partner

The latest incident to impact Ascension patients occurred on Dec. 6, 2024, when Ascension learned that patient information was potentially involved in a security incident that originated at a former business partner. Ascension did not name the business partner in its Apr. 28, 2025, public breach notification.

By late January, Ascension determined that it had inadvertently disclosed information to this former business partner and the information had been stolen from the business partner due to a vulnerability in third-party software that the partner used.

The breach impacted patients from Ascension locations in Michigan, Indiana, Alabama, Tennessee and Texas, though the total number of impacted patients has not yet been posted on the HHS Office for Civil Rights (OCR) data breach portal. The data involved in the breach included demographic information, Social Security numbers and clinical information related to inpatient visits.

Ascension confirmed that the incident did not involve any of its internal systems, networks or EHR systems.

"We have since reviewed our processes and are working to implement enhanced measures to prevent similar incidents from occurring in the future," Ascension stated.

Law firm hack impacts Ascension data

On April 14, 2025, Ascension disclosed a third-party data breach stemming from Scharnhorst Ast Kennard Griffin (SAKG), a Missouri-based law firm.

Once again, the breach did not involve Ascension systems directly. SAKG notified Ascension of the number of impacted individuals in February 2025, confirming that an unauthorized actor viewed or took information from the firm's systems between July 17, 2024, and Aug. 6, 2024.

According to OCR's data breach portal, the incident impacted 639 individuals. The breach involved demographic information, Social Security numbers, medical treatment information, medical record numbers and patient account numbers.

Telehealth company data breach affects Ascension patients

On March 3, 2025, Ascension posted a notice on its website informing patients of a third-party data breach that originated at Access TeleCare, a company that provides telehealth services to Ascension Seton in Texas.

According to Access TeleCare, an unauthorized party accessed certain email accounts between Nov. 6, 2023, and Jan. 8, 2024, and potentially downloaded content. The company said it promptly launched an investigation and took steps to notify impacted individuals and secure its email environment.

The affected email accounts contained names, dates of birth, Social Security numbers, passport numbers, financial account information and treatment information.

None of Ascension's internal systems were impacted by this incident.

Wound care management company discloses email breach

In February 2025, Ascension posted a notice about a data breach that occurred at Restorix Health, a business partner that provides wound care management services to Ascension Michigan, Ascension St. Vincent’s Riverside and Ascension St. Agnes.

Once again, the breach did not affect Asension systems directly. However, the Restorix incident did impact Ascension patient data. On May 30, 2024, Restorix learned that an unauthorized party gained access to an employee email account, maintaining that access from May 7 to May 29.

It was not until Dec. 18, 2024, that Restorix advised its healthcare partners that some protected health information was contained in the affected email account. Restorix established a call center for people impacted by the breach.

These incidents show that third-party risk continues to remain a pain point for healthcare organizations.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.