
Natali_Mis/istock via Getty Imag
Ascension discloses multiple third-party data breaches
Over the course of the last year, Ascension Health has been hit with a storm of third-party data breaches impacting its patients across multiple states.
Ascension Health, a Missouri-based Catholic health system, has disclosed several third-party data breaches in 2025, impacting patients across its network of hospitals and care facilities.
While Ascension posted notices for each third-party data breach in 2025 on its website, including one for the Change Healthcare cyberattack, the incidents all occurred in 2024 or prior.
Ascension, which serves patients across 16 states and Washington, D.C., also suffered an unrelated 5.6-million-record data breach in May 2024 due to a ransomware attack on its own systems.
As previously reported, third-party data breaches remain a top threat to healthcare cybersecurity. A February 2025 report by Ponemon Institute and Imprivata revealed that 44% of healthcare survey respondents experienced a data breach or cyberattack involving third-party network access in the last 12 months.
Ascension discloses data breach tied to former business partner
The latest incident to impact Ascension patients occurred on Dec. 6, 2024, when Ascension learned that patient information was potentially involved in a security incident that originated at a former business partner. Ascension did not name the business partner in its Apr. 28, 2025, public breach notification.
By late January, Ascension determined that it had inadvertently disclosed information to this former business partner and the information had been stolen from the business partner due to a vulnerability in third-party software that the partner used.
The breach impacted patients from Ascension locations in Michigan, Indiana, Alabama, Tennessee and Texas, though the total number of impacted patients has not yet been posted on the HHS Office for Civil Rights (OCR) data breach portal. The data involved in the breach included demographic information, Social Security numbers and clinical information related to inpatient visits.
Ascension confirmed that the incident did not involve any of its internal systems, networks or EHR systems.
"We have since reviewed our processes and are working to implement enhanced measures to prevent similar incidents from occurring in the future," Ascension stated.
Law firm hack impacts Ascension data
On April 14, 2025, Ascension disclosed a third-party data breach stemming from Scharnhorst Ast Kennard Griffin (SAKG), a Missouri-based law firm.
Once again, the breach did not involve Ascension systems directly. SAKG notified Ascension of the number of impacted individuals in February 2025, confirming that an unauthorized actor viewed or took information from the firm's systems between July 17, 2024, and Aug. 6, 2024.
According to OCR's data breach portal, the incident impacted 639 individuals. The breach involved demographic information, Social Security numbers, medical treatment information, medical record numbers and patient account numbers.
Telehealth company data breach affects Ascension patients
On March 3, 2025, Ascension posted a notice on its website informing patients of a third-party data breach that originated at Access TeleCare, a company that provides telehealth services to Ascension Seton in Texas.
According to Access TeleCare, an unauthorized party accessed certain email accounts between Nov. 6, 2023, and Jan. 8, 2024, and potentially downloaded content. The company said it promptly launched an investigation and took steps to notify impacted individuals and secure its email environment.
The affected email accounts contained names, dates of birth, Social Security numbers, passport numbers, financial account information and treatment information.
None of Ascension's internal systems were impacted by this incident.
Wound care management company discloses email breach
In February 2025, Ascension posted a notice about a data breach that occurred at Restorix Health, a business partner that provides wound care management services to Ascension Michigan, Ascension St. Vincent’s Riverside and Ascension St. Agnes.
Once again, the breach did not affect Asension systems directly. However, the Restorix incident did impact Ascension patient data. On May 30, 2024, Restorix learned that an unauthorized party gained access to an employee email account, maintaining that access from May 7 to May 29.
It was not until Dec. 18, 2024, that Restorix advised its healthcare partners that some protected health information was contained in the affected email account. Restorix established a call center for people impacted by the breach.
These incidents show that third-party risk continues to remain a pain point for healthcare organizations.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.