Norton Healthcare says hackers stole ‘sensitive data of 2.5 million patients’ during a ransomware attack
Norton Healthcare, one the biggest healthcare players in the US, is the latest victim of a cyberattack following a major data breach in an earlier ransomware attack. The Kentucky-based non-profit healthcare system confirmed that hackers accessed the personal data of millions of patients and employees during an earlier ransomware attack.
Norton Health, with over 40 clinics and hospitals in and around Louisville, Kentucky, is the city’s third-largest private employer. According to its website, the organization boasts a workforce exceeding 20,000 employees and a medical staff comprising over 3,000 providers.
In May 2023, Norton Healthcare dropped a bombshell, revealing that it had fallen prey to a ransomware attack, unleashing a wave of unauthorized access to sensitive information spanning May 7th to 9th. The aftermath? The potential theft of personal data belonging to millions of patients.
Fast forward to December 8th, 2023, and Norton Healthcare declared the conclusion of its exhaustive internal investigation into the incident. What they found wasn’t reassuring: hackers had infiltrated “certain network storage devices.” Fortunately, the main medical record system and patient portal, Norton MyChart, remained untouched.
However, the revelation didn’t end there. Norton disclosed that, after an intricate and time-consuming inquiry, a range of sensitive information had been compromised. This included names, dates of birth, Social Security numbers, health and insurance details, and medical identification numbers.
In a report submitted to Maine’s attorney general last Friday, Norton revealed that the sensitive data of around 2.5 million patients, as well as employees and their dependents, was compromised in the ransomware attack that took place in May.
A letter was dispatched to those impacted by the non-profit organization, stating that hackers managed to breach “certain network storage devices” between May 7 and May 9. Importantly, they emphasized that the intruders did not infiltrate Norton Healthcare’s medical record system or Norton MyChart, its electronic medical record system.
However, Norton came clean about the results of an extensive internal investigation, which concluded in November. The findings were disconcerting, revealing that hackers had indeed gained access to a “wide range of sensitive information.” This included names, dates of birth, Social Security numbers, health and insurance details, as well as medical identification numbers. The investigation was described as “time-consuming,” shedding light on the severity of the breach.