Ascension is the latest health company in Tennessee to undergo a cybersecurity attack

Ascension has joined the ranks of nearly two dozen health care companies in Tennessee experiencing cyberattacks.

The St. Louis-based parent company announced a ransomware attack about a week ago. It operates the Saint Thomas hospital system and scores of other facilities throughout the state, such as urgent care clinics, physical therapy offices, sleep centers and heart hospitals.

Ascension has been issuing updates since the initial event on May 8. It confirmed the next day the unusual activity was a ransomware attack. Over the weekend, the company issued a statement saying it was working with several law enforcement agencies that are investigating the attack.

The company hasn’t commented on the attackers, but several organizations, including the American Hospital Association, have pointed a finger at Black Basta, a “known Russian-speaking ransomware gang.”

Health companies have 60 days to report breaches that affect more than 500 people to the U.S. Department of Health and Human Services. The federal agency’s complaint portal isn’t showing the Ascension attack yet. But it does list 23 others that have occurred in Tennessee over the past few years.

Health data is more valuable on the black market than credit cards and social security numbers. Cyberattacks on U.S. health care companies more than doubled over the past five years.

The company’s website said services like surgeries and appointments shouldn’t be affected. Some emergency rooms are going “on divert,” which means they’ll tell ambulances to go to another hospital. The issues that will stick around the longest will be in communication technology, like electronic health records systems, patient portals and the system that facilities use to order tests and medications. That being said, in Tennessee, imaging and testing is still available — just with delays.

Fitch, one of the country’s three major credit ratings agencies, released commentary on the hack this week. The company didn’t ding the hospital chain’s rating in the wake of the attack, but noted how common events like these are becoming.

“Ascension’s recent cyberattack… highlights the healthcare sector’s historic increase in the number, severity and frequency of cyber assaults, particularly over the last several months,” the commentary reads in part. “Although cyberattacks have not led to any downgrades so far, they underscore the increasing skills of hackers who could cause more harmful attacks in the future. These attacks could in time disrupt healthcare delivery, making it important to always monitor them closely.”

Other attacks in Tennessee have happened to insurance companies, including Blue Cross Blue Shield of Tennessee, and smaller hospitals such as the Murfreesboro Medical Clinic. The HHS complaint portal does list the number of people who are estimated to be affected, but the number doesn’t necessarily mean Tennesseans — especially because so many national companies are based here. For example, an HCA Health Care breach happened last year, affecting an estimated 11 million people. Only 7 million people live in Tennessee.

This year, a Tennessee-based company underwent the largest health data hack in U.S. history. Change Healthcare, a subsidiary of UnitedHealth Group, manages health records, among other things. It’s such a large organization it manages an estimated 15 billion health care transactions annually and touches 1 in every 3 patient records. Doctors across the country say they’re missing revenue because Change can’t process their claims. In April, about a month after the attack, the American Medical Association released a survey showing more than 70% of the responding doctors were still having trouble with claims.

Tennessee lawmakers considered a bill this year that would have made it harder to file a class action lawsuit against a health care company after a data breach. Under current law, companies have to take “reasonable care” to prevent leaks. But Senate Bill 2018 and its counterpart House Bill 2434 would have raised the bar, so victims would have to prove willful or reckless negligence. The measure passed out of the House but stalled in the Senate.