Zoonop

5.6 Million Patients Affected as Senator Wyden Links Ascension Breach to Microsoft's 'Gross Cybersecurity Negligence'

Image for 5.6 Million Patients Affected as Senator Wyden Links Ascension Breach to Microsoft's 'Gross Cybersecurity Negligence'

U.S. Senator Ron Wyden has formally accused Microsoft of "gross cybersecurity negligence," asserting that the company's security shortcomings contributed to the significant ransomware attack against hospital operator Ascension. In a letter addressed to Federal Trade Commission (FTC) Chair Andrew Ferguson, the Oregon Democrat urged the agency to investigate Microsoft's role in the incident. According to a Bloomberg News report, Senator Wyden specifically stated that Microsoft's alleged negligence led to the hospital operator's breach. This accusation highlights growing concerns over the security of critical infrastructure and the accountability of major technology providers.

The May 2024 cyberattack on Ascension, one of the nation's largest nonprofit health systems, severely disrupted operations at its 142 hospitals and affected approximately 5.6 million patients. The incident, attributed to the Black Basta ransomware variant, led to the unavailability of electronic health records, delayed medical procedures, and ambulance diversions across multiple states. Ascension confirmed that patient data, including personal and medical information, was exfiltrated during the breach. The attack caused significant operational and financial strain, forcing the health system to resort to manual, paper-based systems for weeks.

Senator Wyden's letter to the FTC builds on a history of his criticism regarding Microsoft's cybersecurity practices. He highlighted what he termed "glaring cybersecurity flaws" that he believes enabled the attack on the hospital system. Wyden has previously called for federal investigations into Microsoft following other major security incidents, including a 2023 Chinese espionage campaign that compromised government emails and the 2020 SolarWinds hack. His consistent argument centers on Microsoft's alleged failure to implement robust security measures, such as proper encryption key management, despite its significant role in government and critical infrastructure IT.

The Senator's request calls upon the FTC to examine whether Microsoft's practices violated federal laws, potentially including those prohibiting unfair and deceptive business practices, and to review compliance with any prior consent decrees related to security failures. This push for accountability underscores a broader governmental effort to enhance cybersecurity standards among technology vendors. While Microsoft has previously stated that such incidents reflect the "evolving challenges of cybersecurity," Wyden's renewed pressure signals a demand for more stringent oversight and responsibility from tech giants in protecting vital national systems. The outcome of the FTC's potential investigation could set a precedent for vendor liability in major cyber incidents.