Norton Healthcare, a non-profit healthcare system based in Kentucky, has confirmed that it experienced a data breach earlier this year.
Hackers gained unauthorized access to the personal data of millions of patients and employees during a ransomware attack in May, TechCrunch reported Monday (Dec. 11), citing Norton’s Friday (Dec. 8) filing with Maine’s attorney general and a letter to those affected by the breach.
Approximately 2.5 million people, including patients, employees and employees’ dependents, were affected by the breach, according to the report.
In a Friday (Dec. 8) press release announcing the breach, Norton Healthcare said it is in the process of mailing letters to individuals who may have been impacted by the incident.
“Norton Healthcare takes safeguarding personal information seriously,” the press release said. “Individuals whose information may have been impacted will be offered two years of free credit protection services.”
The non-profit healthcare system operates over 40 clinics and hospitals in and around Louisville, Kentucky, making it the city’s third-largest private employer, according to the TechCrunch report. Norton Healthcare has a workforce of more than 20,000 employees and over 3,000 providers on its medical staff.
The hackers accessed certain network storage devices between May 7 and May 9, but did not breach the organization’s medical record system or electronic medical record system, the report said.
However, an internal investigation conducted by Norton Healthcare revealed that the hackers obtained a wide range of sensitive information, including names, dates of birth, Social Security numbers, health and insurance information, medical identification numbers, and potentially financial account numbers, driver’s licenses, government ID numbers and digital signatures.
Upon discovering the breach, Norton Healthcare notified law enforcement and confirmed that no ransom payment was made to the hackers, per the report.
The organization did not disclose the identity of the hackers responsible for the cyberattack, but the ALPHV/BlackCat ransomware gang claimed responsibility for the incident, according to the report.
The Norton Healthcare data breach is part of a larger trend affecting healthcare organizations in the United States, the report said. The U.S. Department of Health and Human Services (HHS) reported a significant increase in “large breaches” and ransomware attacks in recent years. In 2023 alone, breaches reported to the HHS Office for Civil Rights affected over 88 million individuals, a 60% increase compared to the previous year.
In another recent incident, Michigan-based McLaren Health Care said in November that it suffered a data breach that compromised the personal and health information of about 2.2 million patients.