Ascension Health Data Breach 2025: 437,329 Patients Exposed via Former Business Partner Tied to Cleo/Clop Attack
Ascension Health filed a HIPAA breach notification with HHS OCR on April 28, 2025, reporting 437,329 individuals affected after a former business partner's systems were compromised in late 2024. The intrusion is widely linked to the Clop ransomware gang's mass exploitation of the Cleo file-transfer platform. This is a separate event from Ascension's May 2024 Black Basta ransomware breach (~5.6M).
You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.
Timeline
Dec 5, 2024
Ascension learns patient data may have been involved in a security incident at a former business partner
Jan 21, 2025
Investigation determines Ascension had inadvertently disclosed patient data to the former business partner and that data was likely stolen during the hacking incident
Apr 28, 2025
Ascension files HIPAA breach notification with HHS Office for Civil Rights — 437,329 affected
Apr 29, 2025
Notification letters begin going out; Ascension offers 24 months of Kroll credit monitoring and identity-theft restoration; dedicated call center (866) 408-3556 activated
Sep 23, 2025
Judge John Ross (E.D. Mo.) allows 2024 Black Basta class action (Negron v. Ascension Health, No. 4:24-CV-669-JAR) to proceed on nationwide negligence and state-law subclass claims; breach-of-contract and unjust-enrichment theories dismissed
Dec 5, 2024
Ascension learns patient data may have been involved in a security incident at a former business partner
Jan 21, 2025
Investigation determines Ascension had inadvertently disclosed patient data to the former business partner and that data was likely stolen during the hacking incident
Apr 28, 2025
Ascension files HIPAA breach notification with HHS Office for Civil Rights — 437,329 affected
Apr 29, 2025
Notification letters begin going out; Ascension offers 24 months of Kroll credit monitoring and identity-theft restoration; dedicated call center (866) 408-3556 activated
Sep 23, 2025
Judge John Ross (E.D. Mo.) allows 2024 Black Basta class action (Negron v. Ascension Health, No. 4:24-CV-669-JAR) to proceed on nationwide negligence and state-law subclass claims; breach-of-contract and unjust-enrichment theories dismissed
Data exposed
01
High-risk identity
Enables financial + identity theft
02
Health records
Don't expire and can't be reissued
03
Contact & insurance
Phishing + targeted scams
Class actions filed by
These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.
Your action plan, in five steps.
You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.
01
Accept credit monitoring
It’s the floor of the response. Take it.
02
Freeze your credit
Free at Equifax, Experian, TransUnion.
03
File IRS Form 14039
Prevent fraudulent tax return under your SSN.
04
Review your EOBs
Insurance statements catch medical identity theft early.
05
Stop the ongoing flow
Credit monitoring doesn’t cover your health records. HealthConsent does.
What happened
Ascension Health filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 28, 2025, reporting 437,329 individuals affected in a Hacking/IT Incident at a Network Server. This is a separate event from Ascension’s much larger May 2024 Black Basta ransomware breach, which affected approximately 5.6 million people and arose from an employee downloading a malicious file inside Ascension’s own environment.
The April 2025 incident is downstream: data was stolen from a former business partner, not from Ascension’s own systems. On December 5, 2024, Ascension learned that patient data may have been involved in a potential security incident at the former partner. By January 21, 2025, its investigation had determined that Ascension had inadvertently disclosed patient information to that partner, and that the information was likely stolen by a hacker who exploited a vulnerability in third-party software at the partner. The timing, software platform, and tradecraft are widely linked to the Clop ransomware gang’s mass exploitation of the Cleo file-transfer platform in December 2024, though Ascension has not publicly named the former business partner.
Ascension serves patients across approximately 140 hospitals in 19 states and the District of Columbia and is one of the largest Catholic nonprofit health systems in the United States. Affected individuals had received services at Ascension facilities in Alabama, Indiana, Michigan, Tennessee, and Texas. Texas alone accounts for 114,692 of the 437,329 affected residents, per notification to the Texas Attorney General; Massachusetts residents account for 96, per the Massachusetts AG filing.
In April 2025, Ascension also disclosed a separate, smaller third-party breach involving Scharnhorst Ast Kennard Griffin (SAKG), a Missouri law firm that had served as a business associate; that event affected 639 patients and is distinct from the 437,329-person Cleo-linked incident.
What was stolen
Per Ascension’s notice and corroborating coverage, the exposed data spans both personal identifiers and clinical detail:
- Names, mailing addresses, phone numbers, email addresses
- Dates of birth, race, gender
- Social Security numbers
- Medical record numbers and insurance company names
- Clinical data: physician names, service locations, admission and discharge dates, diagnosis and billing/procedure codes
The combination of SSN with inpatient clinical detail — including diagnosis codes and admission dates — is meaningfully more sensitive than a typical name-plus-SSN breach. Depending on the individual, not every element above was exposed; affected patients’ notification letters identify the specific data types applicable to their record.
What Ascension Health is offering
Ascension is providing 24 months of Kroll-administered credit monitoring, fraud consultation, and identity-theft restoration at no cost to affected individuals. A dedicated call center is available at (866) 408-3556, Monday through Friday, 8 a.m. to 5:30 p.m. CST, excluding major U.S. holidays. Notification letters began going out on approximately April 29, 2025, and contain the individual activation deadline for the Kroll services.
Class actions
Litigation is on two tracks and should not be conflated:
The 2024 Black Basta class action sits in the U.S. District Court for the Eastern District of Missouri before Judge John Ross (Negron v. Ascension Health, No. 4:24-CV-669-JAR). In a September 23, 2025 ruling, the court allowed nationwide negligence and negligence-per-se claims to proceed, along with subclass claims under Arkansas, Florida, Illinois, Wisconsin, Michigan, and Indiana law, while dismissing breach-of-contract and unjust-enrichment theories.
The 2025 (437,329-person) Cleo-linked event does not yet have a known consolidated MDL designation as of this page’s last update. Plaintiff firms including Cohen & Malad LLP (Indianapolis), Gibbs Mura, A Law Group, Strauss Borrelli PLLC, and Federman & Sherwood have publicly opened investigations and are signing up affected patients. Because the breach occurred at a former business partner rather than at Ascension itself, future filings will need to address which entity (Ascension, the unnamed partner, or both) properly bears liability and whether claims should be coordinated with parallel Clop/Cleo litigation involving other healthcare organizations.
What to do
- Read the notification letter carefully. It identifies the specific data elements exposed for your record and contains the Kroll enrollment deadline.
- Enroll in the Kroll credit monitoring and identity-theft restoration that Ascension is offering for 24 months. Call (866) 408-3556 if you did not receive a letter or need your activation code.
- Freeze your credit with Equifax, Experian, and TransUnion. This is free and is the highest-leverage step against new-account identity theft.
- File IRS Form 14039 (Identity Theft Affidavit) if your Social Security number was exposed and you have any concern about fraudulent tax returns filed in your name.
- Watch for medical-identity-theft signals: explanation-of-benefits statements for care you did not receive, unexpected collections from providers, or denials of legitimate claims because your benefits appear already used.
- Preserve your notice letter and envelope. Plaintiff firms accepting clients will ask for them; the postmark establishes your notification date.
- Stop the ongoing flow of your health records. HealthConsent files HIPAA restriction requests so the clinical and demographic data exposed in this breach — including diagnosis codes, admission dates, and SSNs — is not continuously re-shared across insurance networks, billing vendors, and business associates. Start a restriction request at HealthConsent.
Continue reading
Credit monitoring covers your wallet. HealthConsent covers your health records.
Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.
Protect my health dataCancel anytime · Family plan covers spouses + dependents
Sources & further reading
- HHS Office for Civil Rights Breach Portal
- Massachusetts AG — Ascension Health data breach notification letter (April 2025, 96 MA residents)
- HIPAA Journal — Ascension Notifying 437K Patients About Data Breach at Former Business Partner
- SecurityWeek — Ascension Discloses Data Breach Potentially Linked to Cleo Hack
- SecurityWeek — 437,000 Impacted by Ascension Health Data Breach
- BleepingComputer — Ascension discloses new data breach after third-party hacking incident
- BleepingComputer — Ascension says recent data breach affects over 430,000 patients
- SC Media — April 2025 Ascension Health breach affected 437,329, reports HHS
- Security Affairs — Ascension reveals personal data of 437,329 patients exposed in cyberattack
- GovInfoSecurity — Ascension: Software Exploit Breach Affects Nearly 440,000
- The Register — Ascension discloses second major cyber attack in a year
- The Record (Recorded Future News) — More than 100,000 impacted by December data breach at Ascension Health
- Becker's Hospital Review — Ascension alerts patients to data breach linked to former business partner
- Cohen & Malad LLP — Ascension Health Care Data Breach Lawsuit Investigation
- Gibbs Mura, A Law Group — Ascension Health Data Breach Lawsuit Investigation
- Strauss Borrelli PLLC — Ascension Data Breach Investigation
- Federman & Sherwood — Ascension Health Data Breach Investigation
- Tycko & Zavareei LLP — Sabita Soneji appointed to Plaintiffs' Executive Committee in Ascension Health Data Breach Class Action
- Healthcare Dive — Judge allows Ascension cyberattack class action to move forward (2024 Black Basta matter)
- Fierce Healthcare — Class action against Ascension over 2024 cybersecurity breach trimmed, but may continue
- WISH-TV (Indianapolis) — Ascension reveals privacy incident affecting patient information
- WBIW — Ascension Health discloses patient data breach affecting multiple states, including Indiana
- BankInfoSecurity — Ascension Notifying Patients About Rash of Third-Party Hacks
- TechTarget HealthTech Security — Ascension Discloses Multiple Third-Party Data Breaches
Official HHS OCR Breach Portal: ocrportal.hhs.gov
About this page
This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.