Norton Healthcare has confirmed that the ransomware attack it suffered in May 2023 has exposed the sensitive data of 2,500,000 people.
Norton Healthcare is a Kentucky-based private healthcare system encompassing 40 clinics and hospitals, employing over 17,000 physicians, nurses, and other medical service staff and offering almost two thousand licensed beds. It is the Louisville healthcare market leader, handling half of all births, inpatient admissions, surgeries, and emergency department visits.
In May 2023, RestorePrivacy revealed that the BlackCat ransomware group, aka “ALPHV,” had claimed an attack on the healthcare organization and alleged that they had stolen 4.7 terabytes of data, including medical records, employee documents, and other sensitive data. At the time, the organization did not provide much info to the public regarding the allegations but posted a notice on its site informing about a cyberattack on May 9, 2023, which adversely affected the provision of medical services.
A copy of the notice published on Norton Healthcare’s site provides more details about the incident and the findings of the internal investigation that was concluded in mid-November.
On May 9, 2023, Norton Healthcare discovered that it was experiencing a cybersecurity incident, later determined to be a ransomware attack. Norton did not make any ransom payment.
Based on our investigation, an unauthorized individual(s) was able to access certain network storage devices between May 7, 2023, and May 9, 2023, but did not access Norton Healthcare’s medical record system or Norton MyChart.
Norton Healthcare
The organization started sending notices of a data breach to impacted individuals on December 8, 2023, which, according to the relevant entry on Maine’s data breach portal, are accounted to 2.5 million. The figure includes patients, employees, and their dependents.
The data that has been exposed includes:
- Name
- Contact information
- Social Security Number
- Date of birth
- Health information
- Insurance information
- Medical identification number
- Driver’s license
- Government ID
- Financial account number
- Digital signature
Not all of the 2.5 million individuals affected in the data breach had every type of the aforementioned data compromised. The scope of personal data exposure varies based on the information provided and the individual’s association with the organization (employee, patient, etc.).
The sensitive nature of the exposed information heightens the severity of the data breach. The one-month gap between concluding the internal investigation and notifying the affected individuals was too long, particularly as it left exposed people vulnerable to phishing, scams, and social engineering for seven months.