Ascension, a healthcare company that operates 140 hospitals and 40 senior care facilities throughout the country, on December 19th disclosed that it had suffered a data breach going back to May of 2024 affecting 5,599,699 of its patients and employees.
Ascension was hacked through a social engineering email from a ransomware gang that lured an employee of Ascension to download malware that enabled the hacker to steal Ascension’s data.
The compromised information varies depending on the individual, but includes medical information, credit card information, bank account numbers, medical insurance information, Social Security numbers and other personal information which provides a treasure trove for scammers and identity thieves.
Ascension began notifying victims of the data breach by mail last week and will continue reaching out to victims through January of 2025. Ascension is offering 24 months of identity theft protection services including services that scour the Dark Web, that part of the Internet where cybercriminals buy goods and services, to determine if the stolen information is being sold to identity thieves and other criminals.
Data breaches are common, and healthcare companies are a primary target for hackers for a variety of reasons including the general lack of security of many healthcare companies and the extensive personal and medical information they store including health insurance information that can be sold by criminals on the Dark Web for $350 while credit card information goes for as little as $10.
Having your health insurance policy used by an identity thief is particularly dangerous because it can result in your medical records being corrupted by the medical information of the identity thief and the difficulty in getting this information removed from your medical records. Having the medical information of an identity thief on your medical records could even result in your getting a blood transfusion of the wrong blood type.
Making the problem worse, HIPAA privacy laws actually protect the rights of the identity thief’s information that may be added to the medical identity theft victim’s medical records making it difficult to have the identity thief’s information removed. Medical identity theft victims must provide extensive documentation to support their request to have the identity thief’s information removed and HIPAA does not have a specific process for disputing fraudulent medical leaving it up to individual providers to determine their standards and procedures.
WHAT SHOULD VICTIMS DO?
Victims of this data breach should freeze their credit if they have not already done so. Freezing your credit is the best thing you can do to protect yourself from identity theft. It is free and easy to do. It protects you from someone using your identity to obtain loans or make large purchases even if they have your Social Security number. If you have not already done so, put a credit freeze on your credit reports at each of the three major credit reporting agencies. Here are links to each of them with instructions about how to get a credit freeze:
https://www.transunion.com/credit-freeze
A person’s Social Security number is a key to identity theft. Armed with this single piece of information, an identity thief can steal your identity and make your life miserable. Healthcare providers and others routinely ask for your Social Security number although they have no need for it. Respectfully demur when asked for your Social Security number by a healthcare provider or other company and offer some other personal identifier, such as your driver’s license number whenever possible.
Everyone also should monitor their credit reports regularly for indications of identity theft. The three major credit reporting agencies now provide free weekly access to your credit reports so you can monitor your credit reports easily on your own.
Here is the only link to use to get your free credit reports:
Some scammers have websites that appear to offer “free” credit reports, but if you read the fine print, you often may find that you have signed up for unnecessary services.
Specifically as to medical identity theft, it is important to carefully read your Explanation of Benefits (EOB) which is the form you receive from your health insurer that details the services provided and the cost for those services whenever your health insurance policy is accessed. Many people get confused by these forms which contain code and jargon that rarely offer a clear explanation of anything. Consequently, many people merely look at the bottom right corner of the form to see if any payment is required or if the service was totally paid for by insurance and if no payment is requested, don’t bother to try and understand the form. Unfortunately, if you do not carefully peruse your Explanation of Benefits, you may miss charges or use of your medical insurance by an identity thief.
Finally, be wary of anyone who calls you offering help in regard to the data breach who asks for personal information in regard to the data breach as that is a favorite tactic of identity thieves to lure you into providing additional personal information. As always, never click on a link or download an attachment to an email or text message unless you have absolutely confirmed that it is legitimate and don’t provide personal information in response to an email, text message or phone call unless you have absolutely confirmed that the communication was legitimate.