In May 2023, the Kentucky-based health system, Norton Healthcare, was attacked by the ALPHV/Blackcat ransomware group. Norton Healthcare, which operates 8 hospitals in Kentucky and Indiana, identified a cyberattack on its systems on May 9, 2023, which was later confirmed to be a ransomware attack. Ransomware attacks involve data encryption and often data theft, with the stolen data used as leverage to get victims to pay the ransom, since victims of the attacks can often recover the encrypted files from backups, as was the case with Norton Healthcare.
Norton Healthcare was issued with a ransom demand, payment of which was required to prevent the release of the stolen data; however, the decision was taken not to give in to the group’s demands and the ransom was not paid. Norton Healthcare launched an investigation with assistance provided by a forensic security firm and outside legal counsel. The attack was also reported to the FBI. The investigation confirmed that an unauthorized third party had access to its network between May 7 and May 9, 2023.
In July, as the HIPAA Breach Notification Rule reporting deadline approached, it was still unclear to what extent patient data was involved, so the breach was reported to the HHS’ Office for Civil Rights (OCR) as affecting at least 501 individuals. The review of the affected files continued, and it took until mid-November to receive final confirmation of the data involved. According to Norton Healthcare’s data breach letters, the exposed information included name, contact information, Social Security Numbers, birthdates, health information, insurance information, medical identification numbers, and a subset of individuals also had their driver’s license numbers, other government ID numbers, financial account numbers, and/or digital signatures exposed.
7 months after the breach was detected, Norton Healthcare started sending individual notification letters, which for efficiency were sent to all current and previous patients as of May 10, 2023, as well as employees, and their dependents and beneficiaries. Norton Healthcare said 2.5 million individuals were notified.
Norton Healthcare did not name the group behind the attack, but the ALPHV/Blackcat ransomware group claimed responsibility for the attack. The group claimed to have exfiltrated 4.7 terabytes of data before encrypting patient files. The group’s dark web data leak site is currently offline and has been for several days, along with its Tox p2p instant messaging account. Security researchers have suggested that the disruption could have been caused by a law enforcement operation.