Kentucky-based nonprofit healthcare system Norton Healthcare has confirmed that hackers accessed the personal data of millions of patients and employees during a previous ransomware attack.
Norton operates more than 40 clinics and hospitals in and around Louisville, Kentucky, and is the city’s third largest private employer. The organization has more than 20,000 employees and more than 3,000 total providers on its medical staff, according to its website.
In a filing with the Maine attorney general on Friday, Norton said the sensitive data of about 2.5 million patients, as well as their employees and their dependents, was accessed during the ransomware attack in May.
In a letter to those affected, the nonprofit said the hackers accessed “certain network storage devices between May 7 and May 9,” but did not access Norton Healthcare’s medical records system or Norton MyChart, the online medical records.
But Norton admitted that after a “time-consuming” internal investigation, which the agency completed in November, Norton found that the hackers had access to a “wide range of sensitive information,” including names, dates of birth, Social Security numbers, health and insurance information and medical identification numbers.
Norton Healthcare says that, for some individuals, the exposed data may have also included financial account numbers, driver’s licenses or other government identification numbers, as well as digital signatures.
It is not known if any of the data accessed was encrypted.
Norton says she notified law enforcement about the attack and confirmed she did not make any ransom payments. The agency did not name the hackers responsible for the cyberattack, but the incident was claimed by the notorious ALPHV/BlackCat ransomware gang in May. according to data breach news website DataBreaches.net, which reported that the group claimed to have leaked nearly five terabytes of data. TechCrunch was unable to confirm this as ALPHV’s website was not accessible at the time of writing.
Norton Healthcare is just one of several US-based healthcare organizations to experience a data breach affecting millions of people this year.
US Department of Health and Human Services (HHS) he said recently that there has been a more than doubling of “major breaches” reported to the Office for Civil Rights over the past four years and a nearly three-fold increase in ransomware attacks. The federal government department added that breaches reported this year had affected more than 88 million people, a 60 percent increase compared to 2022.
According to HHS Data Breach PortalUS healthcare provider HCA Healthcare experienced the largest healthcare data breach of 2023 so far, after hackers posted the sensitive data of around 11 million patients on a well-known cybercrime forum.
Perry Johnson & Associates, or PJ&A, a Nevada-based medical transcription service, experienced the second-largest healthcare data breach after a cyber attack exposed the sensitive data of nearly nine million patients. This was followed by a breach at US dental giant Managed Care of North America (MCNA), which affected 8.9 million of the organization’s customers.
