Kentucky-based non-profit healthcare system Norton Healthcare has confirmed that hackers accessed the personal data of millions of patients and employees during an earlier ransomware attack.
Norton operates 40 clinics and hospitals in Louisville, Kentucky, and is the city’s third-largest private employer. The organization has over 20,000 employees and more than 3,000 total providers on its medical staff.
In a filing with Maine’s attorney general, Norton said the sensitive data of approximately 2.5 million patients, as well as employees and their dependents, was accessed during its May ransomware attack.
In a letter sent to those affected, the non-profit said that hackers had access to “certain network storage devices between May 7 and May 9,” but did not access Norton Healthcare’s medical record system or Norton MyChart, its electronic medical record system.
Norton admitted that following a “time-consuming” internal investigation completed in November, hackers accessed a “wide range of sensitive information,” including names, dates of birth, Social Security numbers, health and insurance information, and medical identification numbers.
Norton Healthcare says that, for some individuals, the exposed data may have also included financial account numbers, driver’s licenses, government ID numbers, and digital signatures.
It’s unknown if any of the accessed data was encrypted.
Norton says it notified law enforcement about the attack and confirmed it did not pay any ransom payment, but the organization did not name the hackers responsible for the cyberattack.
Norton Healthcare is one of many U.S.-based healthcare organizations to experience a data breach impacting millions of individuals this year.
The U.S. Department of Health and Human Services (HHS) recently reported that there had been more than a two-fold increase in “large breaches” reported to its Office for Civil Rights over the past four years, and an almost three-fold increase in ransomware attacks. The federal government department added that breaches reported this year had affected over 88 million individuals, up by 60% compared to 2022.
According to the HHS data breach portal, U.S. healthcare provider HCA Healthcare experienced the largest healthcare data breach in 2023 so far after hackers posted the sensitive data of approximately 11 million patients on a well-known cybercrime forum.
Perry Johnson & Associates, or PJ&A, a Nevada-based medical transcription service, experienced the second largest healthcare data breach after a cyberattack saw the sensitive data of almost nine million patients exposed. This was followed by a breach at U.S. dental giant Managed Care of North America (MCNA), which impacted 8.9 million of the organization’s clients.