Norton Healthcare says it will alert 2.5 million patients whose personal information may have been compromised by cyberattack

Image from Spectrum News

About two and a half million people may have been affected by a ransomware attack on Norton Healthcare, the Louisville hospital company said Tuesday. It said they will get letters soon, alerting them that the attack "exposed a wide array of sensitive information," Valerie Chinn of WDRB reports.

The attack occured May 7-9. Norton spokeswoman Renee Murphy declined to tell WDRB how the incident was resolved. She said "We did not make any ransom payment" but would not say whether "the stolen information was returned as a result of an insurance claim," WDRB reports.

Last week, for the first time, Norton said it was the victim of a ransomware attack, had notified federal law enforcement officials and was "working with a respected forensic security provider to investigate and terminate the unauthorized access." It said its medical-record system and MyChart system for patients were not violated.  

However, Norton said the accessed files included personal information "primarily" about patients, employees and dependents. "Impacted information varied from person to person, and may have included name, contact information, Social Security number, date of birth, health information, insurance information, and medical identification numbers, Norton said. Driver's license numbers and other government ID numbers, financial account numbers or digital signatures may have also been included in the data," WDRB reports.

Norton said "Individuals whose information may have been impacted can sign up for two years of credit monitoring by following the instructions in written notification letters that are being mailed." It urged them to "remain vigilant and continue reviewing account statements for unusual activity."

Adrian Lauf, a computer science and engineering professor at University of Louisville, told WDRB that the compromised information suggested that insurance fraud is a possible threat, so past Norton patients shoulkd watch out for fraudulent insurance claims.

"Lauf also said to err on the side of caution, and suggests contacting a national credit bureau to either submit a fraud alert and/or initiate a credit freeze," WDRB reports. "He also suggests to verify or double-check and unknown numbers or emails that contact you."

Norton said the incident's "nature and scope . . . required time to analyze, a process that was substantially completed in mid-November."

A federal class-action lawsuit filed against Norton July 21 by employees and patients whose personal information was stolen from Norton's servers alleges that the company failed to notify those affected or the attorneys general of Kentucky and Indiana. A similar lawsuit was filed Dec. 14 "on behalf of Margaret Garrett of Crestwood and others nationwide who are or were patients or were affiliated with Norton," WDRB reports. Murphy told the station, "We take safeguarding personal information seriously and plan to vigorously defend ourselves in any litigation associated with the ransomware attack."

WDRB notes, "A hacker group called BlackCat claimed responsibility for the attack and leaked files as proof. . . . Employees' names, social security numbers and birth dates as well as patients' personal information, credit card numbers and medical history are contained in documents obtained by WDRB News and available publicly on the dark web, a corner of the internet accessible via specialized web browsers. They had not been redacted, and appear to be authentic.

"The documents appeared to show a large amount of Norton's financial information, including operating accounts and payroll accounts with a balance of tens of millions of dollars, credit card information, confidentiality agreements, patient imaging orders, vendor and bank information and business invoices. Norton serves about 600,000 patients a year with nearly $5 billion in assets."