Global EditionPrivacy & SecurityAscension cyberattack exposed medical data of 5.6M customersInformation included payment details such as credit card or bank account numbers and insurance info ranging from Medicaid and Medicare IDs to policy numbers and claims. Secure EHR data was not accessed.By Nathan EddyDecember 26, 202410:46 AMA cyberattack on May 8 against healthcare giant Ascension resulted in the medical data of 5.6 million customers being exposed, according to a filing with the Maine attorney general’s office published on December 20..

Global EditionPrivacy&SecurityAscension网络攻击曝光了560万客户的医疗数据信息，包括信用卡或银行账号等支付详细信息，以及从医疗补助和医疗保险ID到保单号码和索赔的保险信息。未访问安全EHR数据。Nathan EddyDember 26202410:46根据缅因州总检察长办公室12月20日公布的文件，5月8日针对医疗保健巨头Ascension的AMA网络攻击导致560万客户的医疗数据被曝光。。

WHY IT MATTERS

为什么它很重要

In June, the health system determined the attacker gained access to its systems after an employee at one of its facilities inadvertently downloaded a malicious file, believing it to be legitimate.

6月，卫生系统在其一家设施的一名员工不小心下载了一份恶意文件，认为该文件是合法的后，确定攻击者获得了对其系统的访问权。

The organization stated there was no indication that the incident was anything other than an honest mistake.

该组织表示，没有迹象表明这起事件只是一个诚实的错误。

Months of investigation with third-party experts also led to Ascension determining sensitive data belonging to current and former patients, senior living residents, and employees was potentially exposed.

与第三方专家进行的数月调查也导致阿森松岛确定了属于现任和前任患者、老年居民和员工的敏感数据可能被暴露。

A December 19 announcement from Ascension noted the compromised information varies by individual and may include medical details such as medical record numbers, dates of service, lab test types, and procedure codes.

阿森松岛12月19日发布的公告指出，泄露的信息因个人而异，可能包括医疗记录编号、服务日期、实验室检查类型和程序代码等医疗细节。

Payment information, including credit card or bank account numbers, insurance details ranging from Medicaid and Medicare IDs to policy numbers and claims, government identification, including Social Security numbers, tax IDs, driver’s licenses, or passports, and personal information such as addresses and dates of birth were potentially involved..

可能涉及的付款信息包括信用卡或银行账号、从医疗补助和医疗保险ID到保单号码和索赔的保险详细信息、政府身份，包括社会保险号码、税号、驾照或护照，以及个人信息，如地址和出生日期。。

Ascension also confirmed its electronic health records and other core clinical systems, where full patient records are securely stored, were not accessed during the attack.

Ascension还证实，其电子健康记录和其他核心临床系统在袭击期间未被访问，这些系统安全存储了完整的患者记录。

THE LARGER TREND

更大的趋势

Among the other major healthcare breaches in 2024 include a cyberattack against Change Healthcare in February, which impacted 100 million people--the largest breach ever reported to federal regulators.

2024年的其他重大医疗违规事件包括2月份针对Change healthcare的网络攻击，该攻击影响了一亿人，这是有史以来向联邦监管机构报告的最大违规事件。

In April, Kaiser Permanente reported 13.4 million people were affected by data breach that exposed patient and plan members' information.

4月，凯撒永久报告称，1340万人受到数据泄露的影响，这些数据泄露了患者和计划成员的信息。

Meanwhile, legislation is being proposed to bolster healthcare cybersecurity defense in the form of the Health Care Cybersecurity and Resiliency Act.

与此同时，正在提出立法，以《医疗保健网络安全和弹性法案》的形式加强医疗保健网络安全防御。

The bipartisan bill, introduced in November, would offer grants to healthcare organizations to help them shore up their ability to prevent and respond to cyberattacks.

11月提出的两党法案将向医疗保健组织提供赠款，以帮助它们增强防范和应对网络攻击的能力。

Meanwhile, governance remains a concerning weak point in healthcare, even as cyberattacks are becoming more prominent and the risks of IoT medical devices are coming into sharper focus.

与此同时，尽管网络攻击越来越突出，物联网医疗设备的风险越来越受到关注，但治理仍然是医疗保健领域令人担忧的薄弱环节。

ON THE RECORD

记录在案

Tim Rawlins, senior adviser and director, Security at cybersecurity consultancy, NCC Group, noted healthcare will always be an attractive target, given the sheer quantity of sensitive data organizations hold and the need to make information available to the medical staff as quickly as possible.

NCC集团网络安全咨询公司高级顾问兼安全总监蒂姆·罗林斯（TimRawlins）指出，鉴于组织持有的敏感数据数量庞大，并且需要尽快向医务人员提供信息，医疗保健将始终是一个有吸引力的目标。

'Basic cyber security measures, individual log ins, multi-factor authentication, and patched, secure and monitored systems will go a long way to preventing these attacks,' he said.

他说，基本的网络安全措施、个人登录、多因素身份验证以及修补、安全和受监控的系统将大大有助于防止这些攻击。

Nathan Eddy is a healthcare and technology freelancer based in Berlin.Email the writer: nathaneddy@gmail.comTwitter: @dropdeaded209

内森·艾迪（NathanEddy）是一名位于柏林的医疗保健和技术自由职业者。给作者发电子邮件：nathaneddy@gmail.comTwitter：@dropdeaded209

Topics: Electronic Health Records (EHR, EMR), Financial/Revenue Cycle Management, Privacy & Security

主题：电子健康记录（EHR、EMR）、财务/收入周期管理、隐私与安全

More regional news

更多地区新闻

A novel RFID solution elevates drug inventory managementDecember 26, 2024

一种新型RFID解决方案提高了药物库存管理2024年12月26日

What will AI do for telemedicine in 2025? More than you might thinkBy Bill SiwickiDecember 26, 2024

2025年人工智能将为远程医疗做什么？比你想象的还要多Bill Siwickide2024年12月26日

VA to restart deployments in EHR modernization effortBy Andrea FoxDecember 23, 2024

弗吉尼亚州将在EHR现代化工作中重新部署Andrea Fox2024年12月23日

A cyberattack on May 8 against healthcare giant Ascension resulted in the medical data of 5.6 million customers being exposed, according to a filing with the Maine attorney general’s office published on December 20.

根据缅因州总检察长办公室12月20日公布的文件，5月8日针对医疗保健巨头阿森松岛的网络攻击导致560万客户的医疗数据被曝光。

WHY IT MATTERS

为什么它很重要

In June, the health system determined the attacker gained access to its systems after an employee at one of its facilities inadvertently downloaded a malicious file, believing it to be legitimate.

6月，卫生系统在其一家设施的一名员工不小心下载了一份恶意文件，认为该文件是合法的后，确定攻击者获得了对其系统的访问权。

The organization stated there was no indication that the incident was anything other than an honest mistake.

该组织表示，没有迹象表明这起事件只是一个诚实的错误。

Months of investigation with third-party experts also led to Ascension determining sensitive data belonging to current and former patients, senior living residents, and employees was potentially exposed.

与第三方专家进行的数月调查也导致阿森松岛确定了属于现任和前任患者、老年居民和员工的敏感数据可能被暴露。

A December 19 announcement from Ascension noted the compromised information varies by individual and may include medical details such as medical record numbers, dates of service, lab test types, and procedure codes.

阿森松岛12月19日发布的公告指出，泄露的信息因个人而异，可能包括医疗记录编号、服务日期、实验室检查类型和程序代码等医疗细节。

Payment information, including credit card or bank account numbers, insurance details ranging from Medicaid and Medicare IDs to policy numbers and claims, government identification, including Social Security numbers, tax IDs, driver’s licenses, or passports, and personal information such as addresses and dates of birth were potentially involved..

可能涉及的付款信息包括信用卡或银行账号、从医疗补助和医疗保险ID到保单号码和索赔的保险详细信息、政府身份，包括社会保险号码、税号、驾照或护照，以及个人信息，如地址和出生日期。。

Ascension also confirmed its electronic health records and other core clinical systems, where full patient records are securely stored, were not accessed during the attack.

Ascension还证实，其电子健康记录和其他核心临床系统在袭击期间未被访问，这些系统安全存储了完整的患者记录。

THE LARGER TREND

更大的趋势

Among the other major healthcare breaches in 2024 include a cyberattack against Change Healthcare in February, which impacted 100 million people--the largest breach ever reported to federal regulators.

2024年的其他重大医疗违规事件包括2月份针对Change healthcare的网络攻击，该攻击影响了一亿人，这是有史以来向联邦监管机构报告的最大违规事件。

In April, Kaiser Permanente reported 13.4 million people were affected by data breach that exposed patient and plan members' information.

4月，凯撒永久报告称，1340万人受到数据泄露的影响，这些数据泄露了患者和计划成员的信息。

Meanwhile, legislation is being proposed to bolster healthcare cybersecurity defense in the form of the Health Care Cybersecurity and Resiliency Act.

与此同时，正在提出立法，以《医疗保健网络安全和弹性法案》的形式加强医疗保健网络安全防御。

The bipartisan bill, introduced in November, would offer grants to healthcare organizations to help them shore up their ability to prevent and respond to cyberattacks.

11月提出的两党法案将向医疗保健组织提供赠款，以帮助它们增强防范和应对网络攻击的能力。

Meanwhile, governance remains a concerning weak point in healthcare, even as cyberattacks are becoming more prominent and the risks of IoT medical devices are coming into sharper focus.

与此同时，尽管网络攻击越来越突出，物联网医疗设备的风险越来越受到关注，但治理仍然是医疗保健领域令人担忧的薄弱环节。

ON THE RECORD

记录在案

Tim Rawlins, senior adviser and director, Security at cybersecurity consultancy, NCC Group, noted healthcare will always be an attractive target, given the sheer quantity of sensitive data organizations hold and the need to make information available to the medical staff as quickly as possible.

NCC集团网络安全咨询公司高级顾问兼安全总监蒂姆·罗林斯（TimRawlins）指出，鉴于组织持有的敏感数据数量庞大，并且需要尽快向医务人员提供信息，医疗保健将始终是一个有吸引力的目标。

'Basic cyber security measures, individual log ins, multi-factor authentication, and patched, secure and monitored systems will go a long way to preventing these attacks,' he said.

他说，基本的网络安全措施、个人登录、多因素身份验证以及修补、安全和受监控的系统将大大有助于防止这些攻击。

Nathan Eddy is a healthcare and technology freelancer based in Berlin.Email the writer: nathaneddy@gmail.comTwitter: @dropdeaded209

内森·艾迪（NathanEddy）是一名位于柏林的医疗保健和技术自由职业者。给作者发电子邮件：nathaneddy@gmail.comTwitter：@dropdeaded209