Kentucky-based nonprofit healthcare system Norton Healthcare has confirmed that hackers accessed the personal data of millions of patients and employees during an earlier ransomware attack.
Norton operates more than 40 clinics and hospitals in and around Louisville, Kentucky, and is the city’s third-largest private employer. The organization has more than 20,000 employees, and more than 3,000 total providers on its medical staff, according to its website.
In a filing with Maine’s attorney general on Friday, Norton said that the sensitive data of approximately 2.5 million patients, as well as employees and their dependants, was accessed during its May ransomware attack.
In a letter sent to those affected, the nonprofit said that hackers had access to “certain network storage devices between May 7 and May 9,” but did not access Norton Healthcare’s medical record system or Norton MyChart, its electronic medical record system.
But Norton admitted that following a “time-consuming” internal investigation, which the organization completed in November, Norton found that hackers accessed a “wide range of sensitive information,” including names, dates of birth, Social Security numbers, health and insurance information and medical identification numbers.
Norton Healthcare says that, for some individuals, the exposed data may have also included financial account numbers, driver licenses or other government ID numbers, as well as digital signatures.
It’s not known if any of the accessed data was encrypted.
Norton says it notified law enforcement about the attack and confirmed it did not pay any ransom payment. The organization did not name the hackers responsible for the cyberattack, but the incident was claimed by the notorious ALPHV/BlackCat ransomware gang in May, according to data breach news site DataBreaches.net, which reported that the group claimed it exfiltrated almost five terabytes of data. TechCrunch could not confirm this, as the ALPHV website was inaccessible at the time of writing.
Norton Healthcare is just one of many U.S.-based healthcare organizations to experience a data breach impacting millions of individuals this year.
The U.S. Department of Health and Human Services (HHS) recently said that there had been more than a two-fold increase in “large breaches” reported to its Office for Civil Rights over the past four years, and an almost three-fold increase in ransomware attacks. The federal government department added that breaches reported this year had affected over 88 million individuals, up by 60% compared to 2022.
According to the HHS data breach portal, U.S. healthcare provider HCA Healthcare experienced the largest healthcare data breach in 2023 so far after hackers posted the sensitive data of approximately 11 million patients on a well-known cybercrime forum.
Perry Johnson & Associates, or PJ&A, a Nevada-based medical transcription service, experienced the second largest healthcare data breach after a cyberattack saw the sensitive data of almost nine million patients exposed. This was followed by a breach at U.S. dental giant Managed Care of North America (MCNA), which impacted 8.9 million of the organization’s clients.