Millions of Personal Records Stolen in Norton Healthcare Hack

Norton Healthcare, a Kentucky-based nonprofit healthcare system, confirmed a ransomware attack in May compromised the personal data of approximately 2.5 million patients and employees. The attack, which was first detected on May 9, allowed hackers to access certain network storage devices between May 7 and May 9.

However, Norton Healthcare assured that the medical record system and Norton MyChart, its electronic medical record system, were not compromised. The internal investigation, completed in mid-November, revealed that the hackers accessed a wide range of sensitive information. This included names, dates of birth, Social Security numbers, health and insurance information, medical identification numbers, potentially financial account numbers, driver’s licenses, government ID numbers, and digital signatures.

Norton Healthcare stated that it did not make any ransom payment and has not detected any additional indicators of compromise since restoring its systems from backups on May 10. According to TechCrunch, the ALPHV/BlackCat ransomware gang claimed responsibility for the cyberattack. Norton Healthcare has notified law enforcement about the attack and is in the process of mailing letters to individuals who may have been impacted by the incident. They are also offering two years of free credit protection services to those affected.

This incident is part of a larger trend affecting healthcare organizations in the United States. The U.S. Department of Health and Human Services (HHS) reported a significant increase in “large breaches” and ransomware attacks in recent years. In 2023 alone, breaches reported to the HHS Office for Civil Rights affected over 88 million individuals, a 60% increase compared to the previous year.

Earlier this year, we reported on the McLaren Health Care breach, which compromised the personal and health information of about 2.2 million patients. Additionally, the HCA Healthcare breach exposed the sensitive data of approximately 11 million patients, making it one of the largest healthcare data breaches in 2023. These incidents, along with several others reported this year, showcase how the healthcare industry is increasingly targeted.