Kentucky-based non-profit healthcare system Norton Healthcare has recently announced that it experienced a ransomware attack earlier this year, whereby hackers gained access to the personal data of millions of patients. Norton Healthcare, operating over 40 clinics and hospitals in and around Louisville, Kentucky, is the city’s third-largest private employer.
Key Takeaway
Norton Healthcare, a non-profit healthcare system, has confirmed that hackers accessed the personal data of around 2.5 million patients and employees during a ransomware attack. The breach, which occurred earlier this year, exposed sensitive information such as names, Social Security numbers, and health records. This incident highlights the increasing number of data breaches in the healthcare sector and the need for robust cybersecurity measures to protect patient information.
Details of the Attack
During the May attack, hackers managed to access sensitive information from approximately 2.5 million patients, as well as employees and their dependents. The breach included names, dates of birth, Social Security numbers, health and insurance information, and medical identification numbers. In some cases, the exposed data may have also included financial account numbers, driver’s licenses or other government ID numbers, as well as digital signatures. It remains uncertain whether any of the accessed data was encrypted.
Following an extensive internal investigation, Norton Healthcare confirmed that the hackers had accessed certain network storage devices between May 7 and May 9. However, they were not able to infiltrate Norton Healthcare’s medical record system or Norton MyChart, its electronic medical record system. Norton Healthcare has informed law enforcement about the attack but reiterated that no ransom payment was made. The organization did not specifically identify the hackers responsible for the cyberattack, but it was reported that the incident was claimed by the ALPHV/BlackCat ransomware gang in May.
Increasing Healthcare Data Breaches
This breach adds Norton Healthcare to the growing list of U.S.-based healthcare organizations that have experienced data breaches impacting millions of individuals this year. The U.S. Department of Health and Human Services (HHS) reported a significant increase in “large breaches” reported to its Office for Civil Rights over the past four years, with an even higher increase in ransomware attacks. As per HHS data breach portal, the largest healthcare data breach in 2023 so far belonged to U.S. healthcare provider HCA Healthcare, where sensitive data of approximately 11 million patients was posted on a cybercrime forum. Perry Johnson & Associates, a Nevada-based medical transcription service, and U.S. dental giant Managed Care of North America (MCNA) also experienced significant breaches affecting millions of individuals.
