Health Giant Ascension Informs 5.6 Million Patients Their Sensitive Data Was Compromised 6 Months Ago

Another day, another major privacy scandal we’ll likely do nothing about.

Health care giant Ascension — which owns 140 hospitals and assisted living facilities — says that a May cyberattack compromised the sensitive data of more than 5.6 million patients.

According to a filing with the Maine Attorney General and a December 19th post to the Ascension website, the attack occurred in May, but Ascension is just getting around to informing victims six months later. Compromised data included names, social security numbers, addresses, sensitive health information, Medicare/Medicaid data, payment information, and more.

But don’t worry, Ascension is offering users the now standard “free credit monitoring“:

“Ascension is now in the process of notifying affected individuals. The organization is also offering two years of credit and fraud monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services. The services became effective last Thursday.”

I’ve been included in so many hacks I’ve literally lost track of the companies now offering me a year of free credit reporting. Often from credit reporting companies who are also curiously incapable of securing their networks and systems themselves.

There are a lot of moving parts here. Our for-profit healthcare system routinely cuts corners on cybersecurity, creating a field day for ransomware attackers. Our lax antitrust reform means health giants routinely prioritize giant, pointless mergers that misdirect attention away from cybersecurity (and health care). Then of course you’ve got a country that’s simply too corrupt to pass a privacy law.

These scandals keep happening because companies and executives see no real repercussions for failing to properly invest in security infrastructure. When there is regulatory action for lax privacy, it comes in the forms of piddly wrist slap fines that are often litigated down to a pittance.

The corner cutting required to deliver impossible, unlimited quarterly growth to Wall Street routinely has a sort of cannibalizing effect on public safety and product quality. This “enshittification” is particularly problematic when it touches health care.

Since the Supreme Court has effectively neutered the independence of most regulators, and with Congress too corrupt to pass even a baseline privacy law for the Internet era, you can expect nothing to change anytime soon. At least until there’s a privacy breach so massive, deadly, or high profile that the country is finally shaken out of its corrupt apathy.

At which point the biggest companies in America will get together to ghost write a useless modern privacy law primarily focused on legalizing incompetence, and making life harder on smaller competitors.