A previous ransomware attack exposed the personal information of millions of patients and staff, according to Kentucky-based nonprofit healthcare system Norton Healthcare.
At Louisville, Kentucky, Norton runs over forty clinics and hospitals and is the third-largest private employer in the city. On its website, the organization states that it employs over 20,000 people and that they have over 3,000 medical providers on staff.
During its May ransomware attack, Norton claimed in a filing with Maine’s attorney general on Friday that it had gained access to the private information of about 2.5 million patients as well as employees and their dependents.
Hackers gained access to “certain network storage devices between May 7 and May 9,” according to a letter the nonprofit sent to those impacted. However, Norton Healthcare’s medical record system and its electronic medical record system, Norton MyChart, were not compromised.
Yet Norton acknowledged that after a “time-consuming” internal investigation, which the company finished in November, it was discovered that hackers had access to a “wide range of sensitive information,” including names, dates of birth, Social Security numbers, information about health and insurance, and medical identification numbers.
Digital signatures, driver’s license numbers, and other government ID numbers may have also been exposed in the data for some people, according to Norton Healthcare.
If any of the accessed data was encrypted, it is unknown.
Norton says it verified it did not pay any ransom and that it reported the attack to law enforcement. The group did not identify the hackers who carried out the cyberattack, but some reports showed that the event was done by the infamous ALPHV/BlackCat ransomware gang in May, who claimed to have exfiltrated nearly five terabytes of data. Because the ALPHV website was unavailable when this was written, Virtualattacks was unable to verify this.
This year, several healthcare organizations in the United States, including Norton Healthcare, have had millions of people impacted by a data breach.
According to recent reports from the U.S. Department of Health and Human Services (HHS), ransomware attacks have increased nearly threefold over the last four years, and there has been a more than two-fold increase in “large breaches” that have been reported to the Office for Civil Rights. The federal government department further stated that over 88 million people were impacted by the breaches that were reported this year, a 60% increase from 2022.
The HHS data breach portal states that the most significant healthcare data breach of 2023 occurred at U.S. healthcare provider HCA Healthcare, following the disclosure of patient-sensitive data by hackers on a popular cybercrime forum, affecting roughly 11 million patients.
The second-largest healthcare data breach occurred at Perry Johnson & Associates, or PJ&A, a medical transcription service with headquarters in Nevada. A cyberattack exposed nearly nine million patients’ private information. A breach at the massive American dental company Managed Care of North America (MCNA) that affected 8.9 million of the company’s clients came next.
Data Theft affected 2.5 million patients
In a ransomware attack in May, 2.5 million people’s most sensitive data may have been stolen, according to Norton Healthcare, which operates eight hospitals and over thirty clinics in Kentucky and Indiana.
The hackers were able to obtain names, contact details, dates of birth, Social Security numbers, driver’s license and government ID numbers, financial account information, and digital signatures during the breach.
According to a data breach disclosure submitted to the Maine Attorney General’s office, other information that might have been compromised included medical ID numbers, insurance details, and health information of previous patients, staff members, and beneficiary spouses.
Two days after the hack, on May 9, the non-profit healthcare system said it found the security breach, which was subsequently found to be a ransomware instance.
“Our investigation determined that an unauthorized individual(s) gained access to certain network storage devices between May 7, 2023, and May 9, 2023, but did not access Norton Healthcare’s medical record system or Norton MyChart,” Norton Healthcare stated in a statement published on its website.
“Norton Healthcare notified the FBI and immediately began investigating this incident with the assistance of outside legal counsel and a respected forensic security provider,” according to the report detailing the breach.
“Norton did not make any ransom payment,” it stated.
Affiliates of the AlphV/BlackCat ransomware took credit for the theft on May 25 and included the healthcare system on their list of compromised systems.
Norton refused to respond to specific queries from The Register regarding the hack, such as whether or not AlphV was responsible for the breach.
The Register was informed by spokesman Renee Murphy that Norton Healthcare “takes the personal information of our patients and employees seriously.” “We’re taking steps to improve our network security measures even more. We direct you to our public notice that is available on our website as there is ongoing litigation regarding this matter.”
This most recent incident occurs at a time when ransomware infections in US hospitals and healthcare systems are surging. These breaches have not only revealed extremely private information, but they have also resulted in weeks-long disruptions, ambulances being diverted, and, in at least one instance, patients’ deaths or delayed medical care.
According to Emsisoft threat analyst Brett Callow, at least 36 US health systems that are in charge of 130 hospitals have been the target of ransomware attacks this year. In at least 27 of these cases, the hackers took advantage of the data.
Between 2018 and 2022, there was a 93% increase in “large breaches” according to the US Department of Health and Human Services, with the number rising from 369 to 712. During this time, there was also a 278 percent rise in significant ransomware-related breaches.