Kentucky-based healthcare provider Norton has confirmed that it has suffered a significant ransomware attack that may have compromised the data of millions of its patients.
In a file with the Maine Attorney General on December 8, the healthcare giant said 2.5 million people had been affected by the breach.
Norton said the attack took place between May 7 and 9, 2023, stating that it took until mid-November to analyze the scope of the attack and the types of patient data that had been exfiltrated.
Data breach Norton Healthcare
A letter sent on behalf of Norton Healthcare by data privacy and cybersecurity attorney David Saunders confirms that the company notified the FBI and contacted outside legal counsel and a forensic security provider as soon as it became aware of the incident.
The summary continues: “Based on our investigation, unauthorized individuals were able to access certain network storage devices between May 7, 2023 and May 9, 2023, but could not access Norton Healthcare's medical record system or Norton MyChart.”
Norton confirmed that it did not pay any ransom to the attacker.
Norton avoids details, saying that some or all of the following data may have been disclosed: name, contact information, social security number, date of birth, health information, insurance information, and medical identification numbers. Some driver's license numbers or other government ID numbers, financial account numbers, and digital signatures may also have been exposed.
Norton has notified current and former patients, employees, as well as dependent employees and beneficiaries, of this incident.
No further suspicious activity has been detected and the non-profit healthcare provider promises to improve its security safeguards.
In the meantime, customers will get access to 24 months of single-bureau credit monitoring, unlimited fraud advice and identity theft recovery services from Kroll.