Kentucky healthcare giant says 2.5 million people affected by May ransomware attack

A ransomware attack in May exposed 2.5 million patients of hospitals connected to healthcare giant Norton Healthcare.

In notices submitted to regulators in Maine and California last week, the company said it discovered the attack on May 9 and later confirmed that it was dealing with a ransomware incident.

After an investigation, the company said the data of current and former patients, employees, as well as employee dependents and beneficiaries were leaked as a result of the attack. Impacted data includes names, contact information, Social Security numbers, dates of birth, health information, insurance information, and medical identification numbers.

Driver’s license numbers and other government ID numbers, financial account numbers, and digital signatures were also affected in some instances, the company explained.

Norton Healthcare is based in Louisville and runs eight hospitals in Kentucky and Indiana. The hospital said it reported the incident to federal law enforcement agencies and began an investigation that is still ongoing. The company is one of the largest employers in Kentucky.

The hackers had access “to certain network storage devices” from May 7 to May 9. Victims are being offered 24 months of identity protection services. A call center was created for those with questions.

The attack was claimed on May 25 by the AlphV/Black Cat ransomware gang, which posted lengthy updates criticizing the company for refusing to pay a ransom.

The gang claims it stole 4.7 terabytes of data that included information on thousands of employees. In addition to personal information like Social Security numbers, the gang claimed to have clinical imaging data and photos. The gang — which previously leaked patient photos from another U.S. hospital — is reportedly facing increased law enforcement scrutiny following several high-profile incidents in 2023.

At the time of the attack, the company’s hospitals were forced to revert back to using pen and paper for records after receiving a “faxed communication containing threats and demands.”

Ransomware attacks on healthcare facilities in the U.S. have forced federal agencies to take a closer look at potential actions that can be taken to address cybersecurity.

Last week, a ransomware gang took credit for an attack on Tri-City Medical Center — which forced the San Diego hospital on November 9 to take its systems offline, halt elective procedures and take other actions in light of the damaging attack. The hospital was only able to return to full functionality on December 2.

Ransomware attacks on Capital Health, Ardent Health Services and Prospect Medical Holdings this year left dozens of hospitals scrambling to provide patient care amid near-catastrophic technology outages.

Recorded Future — the parent company of The Record — reported at least 19 ransomware attacks on healthcare facilities last month and steep increases in incidents throughout 2023.