Norton Healthcare logo on a hospital building

Healthcare giant Norton breach leads to theft of millions of patient records

Healthcare company Norton says a May breach led to the theft of data of around 2.5 million of its patients, as well as employees and their dependents.

Norton has more than 40 clinics and hospitals in and around Louisville, Kentucky. In a filing with Maine’s attorney general on Friday, Norton said that on May 9, 2023, it discovered an “external system breach.” While the attackers were in the system, Norton says, the sensitive data of the patients, and employees and their dependents was accessed.

In a security incident notice as well as the letter that was sent to potential victims, Norton said the attackers accessed certain network storage devices, but did not access Norton Healthcare’s medical record system or Norton MyChart, its electronic medical record system.

The leaked information included names, dates of birth, Social Security numbers, health and insurance information, and medical identification numbers. Some people also had their financial account numbers, driver licenses or other government ID numbers, and digital signatures also taken.

While Norton never called the incident a ransomware attack, according to databreaches.net the attack was claimed by ALPHV/BlackCat. We could not confirm this, since at the time of writing, the ALPHV leak site is recovering from an outage due to problems with their hosting provider.

Norton says it told law enforcement about the attack and confirmed it did not pay any ransom payment. ALPHV claims to have extracted 4.7 TB worth of data and posted dozens of files as proof to get negotiations underway.

ALPHV is one of the most active ransomware-as-a-service (RaaS) operators and regularly appears in our monthly ransomware reviews as one of the top five most active groups. Recently they made headlines when one of their affiliates, known as Scattered Spider attacked MGM. They also filed a SEC complaint about one of their victims for failing to disclose a breach.

Our podcast host David Ruiz talked to ransomware expert Allan Liska about the why of the SEC complaint.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  • Set up identity monitoring. Identity monitoring alerts you if your personal information is found being traded illegally online, and helps you recover after.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using Malwarebytes Identity Theft Protection.

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.