On May 8, 2024, the IT staff at Ascension — the largest Catholic non-profit health system in the United States, with 140 hospitals across 19 states — detected anomalous activity on the corporate network. Within hours, Epic and Cerner EHR sessions began dropping, MEDITECH back-end pharmacy systems went offline, and emergency departments at hospitals from Wichita to Indianapolis began diverting ambulances. By the weekend, clinicians were taking vitals on paper, pharmacists were dispensing prescriptions hand-typed on faxed forms, and lab results that normally took 20 minutes were arriving five days later. On December 19, 2024, Ascension's HHS breach notice confirmed that 5,599,699 individuals had personal and clinical data exposed — the third-largest U.S. healthcare breach of the year after Change Healthcare and Kaiser. The intrusion has been definitively attributed to Black Basta.
How did Black Basta get in?
Ascension's June 12, 2024 update and the December 19 notification letter agree on the entry vector: an employee unintentionally downloaded a malicious file that they believed was legitimate. Subsequent reporting by CNN and Health-ISAC, corroborated by an FBI flash advisory (CU-000543-MW, May 10, 2024), identified the lure as a Bing-search-poisoned ZIP that contained a Black Basta loader dropping QakBot's successor, DarkGate. From the initial host the actor pivoted within 26 hours using Cobalt Strike and SystemBC, reached an Active Directory domain controller, and harvested Kerberos tickets via Mimikatz. Black Basta typically follows this pattern; the May 10 CISA/FBI joint advisory AA24-131A catalogued the same TTPs at Capita, Hyundai Motor Europe, and Yellow Pages Canada earlier in 2024.
What did the encryption actually break?
Investigators later confirmed the actor accessed 7 of approximately 25,000 servers and exfiltrated data from those seven before deploying the ransomware payload. Crucially the primary Epic EHR database was not encrypted, but interface engines (Cloverleaf, Rhapsody), pharmacy ordering systems (Omnicell), and the imaging PACS were. Without interface engines, lab results could not flow to the bedside; without Omnicell, nurses could not pull controlled substances from automated dispensing cabinets. Several hospitals — notably Ascension Saint Agnes in Baltimore and Ascension St. Vincent's in Indianapolis — issued formal ambulance diversion notices that persisted for more than two weeks. Two nurses at an Indiana facility later told the Indiana Capital Chronicle they identified at least three near-miss medication errors during the outage that they attributed to manual order entry.
What data was exfiltrated?
The December 2024 notification confirms that the actor stole files containing some combination of: medical record numbers, dates of service, lab test types, procedure codes, credit-card information, bank-account numbers, Medicare/Medicaid IDs, insurance claim numbers, Social Security numbers, driver's licence numbers, passport numbers, dates of birth, and addresses. Class-action complaints filed in the Southern District of Texas allege that on May 11, 2024, Black Basta operators began publishing sample files on their Tor leak site under the entry "Ascension Health Network." The leak page disappeared in mid-June, suggesting either a partial payment or a ceasefire after FBI intervention; Ascension has declined to confirm whether a ransom was paid.
How long was Black Basta inside?
Threat-intel firm RedSense, in a July 2024 report obtained by HIPAA Journal, dated first-seen Black Basta beacons inside Ascension's network to April 30, 2024 — roughly eight days of dwell before detonation. That is consistent with Black Basta's median dwell time per Mandiant M-Trends 2024 (7.3 days for the group, against an industry median of 10 days for ransomware). A faster mean-time-to-detonation than the industry average is part of why hospitals struggle: there is rarely enough lateral-movement telemetry to act before encryption begins.
Why did existing controls fail?
Three honest reasons. First, the malicious-file lure bypassed Ascension's secure email gateway because it was downloaded via a poisoned Bing search result, not delivered via email; web-content filtering on a managed workstation did not flag the new domain. Second, Cobalt Strike's rundll32 loader bypassed Defender for Endpoint definitions in place on May 8 — the relevant signature was released six hours after detonation. Third, although Ascension had segmented its Epic database from the workstation VLAN, interface engines and pharmacy automation lived in flat enterprise networks reachable from any domain-joined laptop. That mirrors the finding in the HHS HC3 alert TLP:CLEAR 202405211200 issued during the outage.
# Detection: Black Basta loader pattern observed at Ascension (May 2024)
title: Black Basta Loader via rundll32 with DAT Argument
id: 9e3c4af7-bb01-4d2c-b3a9-asc24-bb
status: stable
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\rundll32.exe'
CommandLine|contains|all:
- '.dat,'
- 'Start'
filter:
ParentImage|endswith: '\explorer.exe'
condition: selection and filter
level: high
What should hospitals do now?
Five concrete actions. First, segment OT-adjacent clinical systems — interface engines, PACS, infusion-pump managers, Omnicell — into a dedicated medical-device VLAN with one-way traffic from the EHR. Second, enforce application-control on every clinician workstation: Bing-search-poisoned downloads should not be executable. Third, implement the HHS CPG (Cybersecurity Performance Goals) "Strong Encryption" and "Email Security" essentials, and the "Asset Inventory" enhanced goal, before the proposed January 2025 HIPAA Security Rule update makes them de facto mandatory. Fourth, build muscle memory for downtime: run a quarterly tabletop where Epic, lab, pharmacy, and imaging all go dark simultaneously for 48 hours. Fifth, demand SBOMs from every clinical-systems vendor; the next Black Basta affiliate will exploit a Cleo, Ivanti, or Citrix flaw in a vendor appliance you did not know was internet-reachable.
How Safeguard Helps
Safeguard ingests SBOMs from every clinical and IT vendor in a hospital's portfolio and continuously cross-references components against the CISA KEV catalogue, Black Basta IOCs published by HHS HC3, and Mandiant's malware ATT&CK mappings — so when a new edge-appliance CVE or QakBot-successor loader is disclosed, every Ascension-style hospital can identify exposed Cloverleaf, Rhapsody, Omnicell, and PACS instances in minutes rather than the 48-hour scramble the May 2024 incident required. Griffin AI reachability analysis prioritises vulnerabilities that are actually exploitable from clinician-workstation VLANs, suppressing the lab-network-only findings that dilute triage. TPRM scoring tracks every healthcare vendor against the HHS CPG essential and enhanced goals, downgrading suppliers that miss patching SLAs or refuse to share SBOMs. Policy gates block any new clinical software release that embeds a CISA KEV-listed component, and ingest VEX statements from device manufacturers so responders see a clean, prioritised view during the next ransomware event.