Norton Healthcare, Inc., a Kentucky-based health system, recently confirmed a major ransomware attack.
What happened
According to the Maine Attorney General, Norton Healthcare filed a data breach notification that impacted 2.5 million individuals. Norton stated the breach occurred between May 7th and 9th of 2023, and was discovered on the 9th.
The attack led to delays in network-related actions and longer wait times. According to Norton’s website, impacted files may have contained names, contact information, dates of birth, Social Security numbers, health information, insurance information, driver’s license numbers, financial account information, and digital signatures. Impacted individuals included patients, employees, and employee dependents.
Going deeper
Following the discovery, Norton began an investigation that concluded in mid-November. According to their statement, Norton concluded after the investigation that “it would be most efficient to notify current (as of May 10, 2023) and former patients, employees, as well as employee dependents and beneficiaries of this incident.”
Norton began sending out breach notices via postal mail on December 8. They are offering complimentary credit monitoring and identity protection services for 24 months.
The healthcare system stated they did not make a ransom payment following the incident. Since restoring their backup systems on May 10, Norton has said they have not detected any indicators of compromise. Their statement concluded that “Norton Healthcare is also enhancing its security safeguards.”
Why it matters
The impacts of the ransom attack can be severe for Norton Healthcare and individuals whose data was compromised.
On July 21, a former employee, Lanisha Malone, filed a class action lawsuit against Norton. The lawsuit alleges that Norton knew significantly more details regarding the event than victims were led to believe.
According to a news report, a spokesperson for Norton, Renee Murphy, said, “We intend to vigorously defend ourselves in any litigation associated with the cyber event we experienced earlier this year.”
The lawsuit alleges that with the stolen data, victims may face further exploitation, such as identity theft or fraud. The lawsuit also claims the ransomware organization responsible for the attack is named BlackCat, a detail that Norton has not publicly confirmed or denied.
The bottom line
Cyberattacks can have serious ramifications for all involved. From Malone’s lawsuit, which claims she spends significant time monitoring her credit reports and transactions, to impacts on Norton’s ability to operate its healthcare system.
If Norton Healthcare is found responsible in some way for the attack or for failing to notify patients promptly, it could face further harsh financial penalties.
The best way to prevent financial impacts and ensure patients are cared for is by actively preventing cyber threats from coming to fruition.
Read more: HIPAA Compliant Email: The Definitive Guide.
Abby Grifno
