Active breach tracker St. Louis, Missouri Disclosed April 28, 2025

Ascension Health Data Breach 2025: 437,329 Patients Exposed via Former Business Partner Tied to Cleo/Clop Attack

Ascension Health filed a HIPAA breach notification with HHS OCR on April 28, 2025, reporting 437,329 individuals affected after a former business partner's systems were compromised in late 2024. The intrusion is widely linked to the Clop ransomware gang's mass exploitation of the Cleo file-transfer platform. This is a separate event from Ascension's May 2024 Black Basta ransomware breach (~5.6M).

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Dec 5, 2024

Ascension learns patient data may have been involved in a security incident at a former business partner

Jan 21, 2025

Investigation determines Ascension had inadvertently disclosed patient data to the former business partner and that data was likely stolen during the hacking incident

Apr 28, 2025

Ascension files HIPAA breach notification with HHS Office for Civil Rights — 437,329 affected

Apr 29, 2025

Notification letters begin going out; Ascension offers 24 months of Kroll credit monitoring and identity-theft restoration; dedicated call center (866) 408-3556 activated

Sep 23, 2025

Judge John Ross (E.D. Mo.) allows 2024 Black Basta class action (Negron v. Ascension Health, No. 4:24-CV-669-JAR) to proceed on nationwide negligence and state-law subclass claims; breach-of-contract and unjust-enrichment theories dismissed

Data exposed

01

High-risk identity

Enables financial + identity theft

Social Security numbers

02

Health records

Don't expire and can't be reissued

Medical record numbers and insurance company names Clinical data: physician names, admission and discharge dates, diagnosis and billing/procedure codes, service locations

03

Contact & insurance

Phishing + targeted scams

Names, mailing addresses, phone numbers, email addresses Dates of birth, race, gender

Class actions filed by

These firms have publicly announced investigations. You may be eligible to join. We are not a law firm and cannot give legal advice.

Cohen & Malad LLP (Indianapolis) — investigation announced Gibbs Mura, A Law Group — investigation announced Strauss Borrelli PLLC — investigation announced Federman & Sherwood — investigation announced Tycko & Zavareei LLP — Sabita Soneji on Plaintiffs' Executive Committee (2024 Black Basta MDL, Case No. 4:24-CV-669-JAR)
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

What happened

Ascension Health filed a HIPAA breach notification with the U.S. Department of Health and Human Services Office for Civil Rights on April 28, 2025, reporting 437,329 individuals affected in a Hacking/IT Incident at a Network Server. This is a separate event from Ascension’s much larger May 2024 Black Basta ransomware breach, which affected approximately 5.6 million people and arose from an employee downloading a malicious file inside Ascension’s own environment.

The April 2025 incident is downstream: data was stolen from a former business partner, not from Ascension’s own systems. On December 5, 2024, Ascension learned that patient data may have been involved in a potential security incident at the former partner. By January 21, 2025, its investigation had determined that Ascension had inadvertently disclosed patient information to that partner, and that the information was likely stolen by a hacker who exploited a vulnerability in third-party software at the partner. The timing, software platform, and tradecraft are widely linked to the Clop ransomware gang’s mass exploitation of the Cleo file-transfer platform in December 2024, though Ascension has not publicly named the former business partner.

Ascension serves patients across approximately 140 hospitals in 19 states and the District of Columbia and is one of the largest Catholic nonprofit health systems in the United States. Affected individuals had received services at Ascension facilities in Alabama, Indiana, Michigan, Tennessee, and Texas. Texas alone accounts for 114,692 of the 437,329 affected residents, per notification to the Texas Attorney General; Massachusetts residents account for 96, per the Massachusetts AG filing.

In April 2025, Ascension also disclosed a separate, smaller third-party breach involving Scharnhorst Ast Kennard Griffin (SAKG), a Missouri law firm that had served as a business associate; that event affected 639 patients and is distinct from the 437,329-person Cleo-linked incident.

What was stolen

Per Ascension’s notice and corroborating coverage, the exposed data spans both personal identifiers and clinical detail:

  • Names, mailing addresses, phone numbers, email addresses
  • Dates of birth, race, gender
  • Social Security numbers
  • Medical record numbers and insurance company names
  • Clinical data: physician names, service locations, admission and discharge dates, diagnosis and billing/procedure codes

The combination of SSN with inpatient clinical detail — including diagnosis codes and admission dates — is meaningfully more sensitive than a typical name-plus-SSN breach. Depending on the individual, not every element above was exposed; affected patients’ notification letters identify the specific data types applicable to their record.

What Ascension Health is offering

Ascension is providing 24 months of Kroll-administered credit monitoring, fraud consultation, and identity-theft restoration at no cost to affected individuals. A dedicated call center is available at (866) 408-3556, Monday through Friday, 8 a.m. to 5:30 p.m. CST, excluding major U.S. holidays. Notification letters began going out on approximately April 29, 2025, and contain the individual activation deadline for the Kroll services.

Class actions

Litigation is on two tracks and should not be conflated:

The 2024 Black Basta class action sits in the U.S. District Court for the Eastern District of Missouri before Judge John Ross (Negron v. Ascension Health, No. 4:24-CV-669-JAR). In a September 23, 2025 ruling, the court allowed nationwide negligence and negligence-per-se claims to proceed, along with subclass claims under Arkansas, Florida, Illinois, Wisconsin, Michigan, and Indiana law, while dismissing breach-of-contract and unjust-enrichment theories.

The 2025 (437,329-person) Cleo-linked event does not yet have a known consolidated MDL designation as of this page’s last update. Plaintiff firms including Cohen & Malad LLP (Indianapolis), Gibbs Mura, A Law Group, Strauss Borrelli PLLC, and Federman & Sherwood have publicly opened investigations and are signing up affected patients. Because the breach occurred at a former business partner rather than at Ascension itself, future filings will need to address which entity (Ascension, the unnamed partner, or both) properly bears liability and whether claims should be coordinated with parallel Clop/Cleo litigation involving other healthcare organizations.

What to do

  1. Read the notification letter carefully. It identifies the specific data elements exposed for your record and contains the Kroll enrollment deadline.
  2. Enroll in the Kroll credit monitoring and identity-theft restoration that Ascension is offering for 24 months. Call (866) 408-3556 if you did not receive a letter or need your activation code.
  3. Freeze your credit with Equifax, Experian, and TransUnion. This is free and is the highest-leverage step against new-account identity theft.
  4. File IRS Form 14039 (Identity Theft Affidavit) if your Social Security number was exposed and you have any concern about fraudulent tax returns filed in your name.
  5. Watch for medical-identity-theft signals: explanation-of-benefits statements for care you did not receive, unexpected collections from providers, or denials of legitimate claims because your benefits appear already used.
  6. Preserve your notice letter and envelope. Plaintiff firms accepting clients will ask for them; the postmark establishes your notification date.
  7. Stop the ongoing flow of your health records. HealthConsent files HIPAA restriction requests so the clinical and demographic data exposed in this breach — including diagnosis codes, admission dates, and SSNs — is not continuously re-shared across insurance networks, billing vendors, and business associates. Start a restriction request at HealthConsent.

Continue reading

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

Sources & further reading

Official HHS OCR Breach Portal: ocrportal.hhs.gov

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.