2.5M patients infected with data loss in Norton Healthcare ransomware outbreak

Norton Healthcare, which runs eight hospitals and more than 30 clinics in Kentucky and Indiana, has admitted crooks may have stolen 2.5 million people's most sensitive data during a ransomware attack in May.

During the intrusion, the criminals accessed names, contact information, Social Security Numbers, dates of birth, and may have included may have also included driver's license and government ID numbers, financial account information, and digital signatures.

Health information, insurance information, and medical ID numbers belonging to former patients, employees, and employee dependents and beneficiaries was also at risk, according to a data breach disclosure filed with the Maine Attorney General's office.

The not-for-profit healthcare system said it discovered the security incident, later determined to be a ransomware infection, on May 9, two days after the intrusion.

"Our investigation determined that an unauthorized individual(s) gained access to certain network storage devices between May 7, 2023, and May 9, 2023, but did not access Norton Healthcare's medical record system or Norton MyChart," Norton said in a statement on its website.

"Norton Healthcare notified the FBI and immediately began investigating this incident with the assistance of outside legal counsel and a respected forensic security provider," according to the breach event report [PDF].

"Norton did not make any ransom payment," it added.

AlphV/BlackCat ransomware affiliates claimed responsibility for the theft, and listed the healthcare system on its leak site on May 25. 

Norton declined to answer The Register's specific questions about the intrusion, including if AlphV was behind the breach.

"Norton Healthcare takes the personal information of our patients and employees seriously," spokesperson Renee Murphy told The Register. "Measures are being taken to further enhance our network security safeguards. There is pending litigation in this matter and we refer you to our public notice posted on our website." 

• Canada goosed as attackers shutter hospitals and China deepfakes its politicians
• Now BlackCat extortionists threaten to leak stolen plastic surgery pics
• BlackCat ransomware crims threaten to directly extort victim's customers
• Scores of US credit unions offline after ransomware infects backend cloud outfit

This latest case comes as US hospitals and healthcare systems face skyrocketing levels of ransomware infections. In addition to disclosing very sensitive personal information, these intrusions have led to weeks-long outages, diverted ambulances and delayed medical treatment for patients or their death - in at least one case.

At least 36 US health systems that oversee 130 hospitals have experienced ransomware attacks this year, and the criminals stole data in at least 27 of these instances, according to Emsisoft threat analyst Brett Callow.

The US Department of Health and Human Services reported a 93 percent increase in "large breaches" between 2018 and 2022 — the number jumped from 369 to 712 [PDF]. It also saw a 278 percent increase in large breaches involving ransomware during this time period. ®