Ascension Ransomware Attack Is “Total Chaos” — and Now It’s Impacting Deathcare

On May 8, Ascension, a Catholic nonprofit healthcare group that operates 140 hospitals across 19 states, was hit with a ransomware cybersecurity breach that crippled its digital network, leading to ambulance diversions, limited phone access, and — perhaps most importantly — manual patient recordkeeping. Although those most impacted are current patients and staff, the attack has caused an inevitable ripple effect that is now reaching many within the deathcare profession — and the families you serve.

The attack

Since publicly confirming the ransomware attack on May 9, St. Louis-based Ascension has shared few details about the status of their recovery of data and network control, other than that they’ve engaged a third party cybersecurity specialist and are working with law enforcement and a host of government partners, including the FBI and the Department of Health and Human Services (HHS). They have not published an estimated timeline for recovery or information about the ransom demands.

However, the HHS, along with the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) issued a joint statement about the attack on May 10. The statement names the entity behind the attack as Black Basta, an organization that has claimed responsibility for ransomware attacks on more than 500 organizations globally since 2021. Healthcare is just one of the wide-ranging industries targeted by Black Basta.

According to the HHS/FBI/CISA statement, “Black Basta affiliates use common initial access techniques—such as phishing and exploiting known vulnerabilities—and then employ a double-extortion model, both encrypting systems and exfiltrating data. Ransom … notes provide victims with a unique code and instructs them to contact the ransomware group … [giving] victims between 10 and 12 days to pay the ransom before the ransomware group publishes their data on the Black Basta TOR site.”

Why healthcare?

It may seem particularly devious and inhumane to attack a healthcare system, knowing that the breach puts the lives of millions of patients in danger. However, for hackers, it makes perfect sense.

“Healthcare organizations are attractive targets for cybercrime actors,” reads the joint statement, “due to their size, technological dependence, access to personal health information, and unique impacts from patient care disruptions.”

In other words, healthcare systems have a more imperative incentive to pay the ransomware demands. The tactic has worked in the past; on May 1, the CEO of UnitedHealth acknowledged that his organization had paid $22 million in Bitcoin to a hacker group Blackcat.

Unfortunately, this is just a drop in the bucket. For the year 2023, the HHS reported 725 ransomware attacks or data breaches on healthcare entities, impacting more than 500 patient records; that’s up from 2022’s high of 720 breaches. In total, last year more than 133 million patient records were threatened. That number is expected to increase again in 2024, and, based on the Ascension attack, that’s a safe bet.

The real impact

As of Friday, May 17, Ascension is still operating on “downtime procedures” — which they describe as “safe clinical practices born out of necessity … [that] require our highly qualified, dedicated medical, nursing and clinical teams to utilize manual processes to ensure patients are properly cared for.”

These manual processes include “moving to paper records and processing everything by hand, […] including dispensing medication, inputting health medical records, ordering and completion of diagnostic tests and procedures, contacting patients and sharing information securely.”

The hospital’s statements don’t come close to describing the “pure and utter chaos” faced by the staff in Ascension facilities who are struggling to provide the same level of care for their patients as they did before the breach.

“[T]hey are having to override all the medications from their Pyxis or their automatic dispensing cabinet, and they cannot scan the medications, so you can’t scan the armband on the patient or the barcode to match to see if that is even the correct order or dose for the patient. These are basic safety checks that have been eliminated,” a nurse advocate known as “Nurse Erica” on social media explained to a Nashville news station. “They are all saying we were not prepared for this, we were handed a packet of downtime forms, paper forms, and that’s it.”

Enter deathcare

And this is exactly where deathcare comes into play within the Ascension breach. Without digital access to patient records, physicians are unable to complete death certificates in a timely manner. Additionally, the Electronic Death Registration System (EDRS) most likely isn’t an available option within the Ascension system.

Some funeral homes, including two contacted by Wisconsin television outlet TMJ4, have reported delays in receiving death certificates, which has in turn delayed cremation and burial services, life insurance filings, and application for other benefits. 

Chris Chvilicek, a director at Wilson Funeral Home in Racine, WI, shared that he’s gone back to the old-fashioned process of hand-delivering death certificates to physicians for completion to help his families. A member of one of those families took to Facebook to share his frustration that his mother couldn’t be cremated “because Ascension All Saints can’t confirm her cause of death due to the outage.”

Fortunately, that family member understands that the hands of Chvilicek and his team are tied, and shared with the news station that “his mother’s funeral home has been working tirelessly to get a signed death certificate so the cremation process can begin.”