Ascension Healthcare patient data was compromised in the 2023 MOVEit Transfer software supply-chain attack carried out by the Cl0p ransomware group. The Cl0p group exploited a previously unknown zero-day vulnerability in Progress Software's MOVEit Transfer file-sharing platform around May 28-31, 2023, accessing data from hundreds of organizations worldwide that used MOVEit either directly or through vendors. The Ascension portion of the incident was indexed in late 2024 by breach-tracking services after disclosures continued to surface from various MOVEit-affected vendors handling Ascension patient data.\n\nThe breach affected approximately 261,000 Ascension patient records. Compromised fields included names, home addresses, phone numbers, Social Security numbers, and medical diagnosis information. Cl0p exploited the MOVEit zero-day to extract data from MOVEit Transfer servers operated by various organizations in the broader healthcare supply chain. Ascension itself was not the direct MOVEit operator; rather, patient data flowed through vendors that used MOVEit for secure file transfer.\n\nFor affected patients, the practical risk profile is severe and durable. The combination of name, address, Social Security number, and medical diagnosis is a strong base for synthetic identity fraud, fraudulent credit applications, and medical-themed scams that reference real diagnoses. Ascension patients should also note that they may have been affected by additional unrelated incidents at Ascension, including the May 2024 direct ransomware attack and the late 2024 Cleo-related vendor breach. Affected individuals should freeze credit at all three U.S. bureaus, monitor health-insurance and Medicare statements closely for unfamiliar charges, and treat unsolicited contact referencing Ascension, related hospitals, or insurance verification with caution. The combination of multiple back-to-back disclosures involving the same patient population makes Ascension patients an unusually attractive target for medical-fraud and identity-theft attempts.

Large nonprofit health systems collect patient identity, contact, insurance, billing, scheduling, and clinical records across hospitals, clinics, and administrative systems.

The 2023 MOVEit-related disclosure was followed by two further major incidents at Ascension. In May 2024, Ascension was directly hit by a Black Basta ransomware attack that began when an employee downloaded a malicious file, ultimately affecting approximately 5.6 million patients and forcing extended outages of clinical systems across the network. The system reported a \$1.1 billion net loss for fiscal 2024 due in part to the attack. In April 2025, Ascension disclosed a separate incident at a former business partner involving the late-2024 Cl0p exploitation of Cleo file-transfer software, ultimately affecting approximately 437,000 additional patients. Multiple class-action lawsuits and a continuing federal Office for Civil Rights review remain active as of 2026.