Ascension Health Confirms Data Breach Affecting 5.6 Million Patients

Ascension Health, one of the largest nonprofit healthcare systems in the United States, has confirmed a data breach affecting approximately 5.6 million current and former patients.

The breach, which occurred between February and April 2026, exposed sensitive information including names, Social Security numbers, dates of birth, medical record numbers, health insurance information, and in some cases, clinical data such as diagnoses and treatment information.

"We deeply regret this incident and the concern it may cause our patients," said Ascension Health CEO Joseph Impicciche in a statement. "We have taken immediate steps to enhance our security measures and are working with leading cybersecurity firms to prevent future incidents."

The healthcare system operates 140 hospitals across 19 states and the District of Columbia. Notification letters began going out to affected individuals this week, and the company is offering two years of free credit monitoring and identity theft protection services.

According to Ascension's filing with the Department of Health and Human Services, the breach resulted from a sophisticated phishing campaign that compromised employee credentials, allowing attackers to access internal systems.

Healthcare data breaches have significant implications beyond financial fraud. "Medical identity theft can result in corrupted health records, which can have life-threatening consequences," noted privacy advocate Margaret Sullivan of the Patient Privacy Rights Foundation.

The breach is now under investigation by the HHS Office for Civil Rights, which enforces HIPAA regulations. Ascension could face substantial penalties if found to have violated federal privacy requirements.