Kentucky Hospital Chain Notifying 2.5 Million of Data Theft

A Kentucky-based hospital chain is notifying millions of individuals that their information was potentially exfiltrated in an attack detected seven months ago. Russian-speaking ransomware-as-a-service group Alphv/BlackCat – which is currently reportedly undergoing its own operational disruptions – allegedly took credit in May for the data theft.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Norton Healthcare, a nonprofit healthcare system that operates eight hospitals in Kentucky and Indiana, said in a breach report to the Maine attorney general’s office on Friday that it did not pay a ransom.

A Norton Healthcare spokeswoman told Information Security Media Group that the entity cannot confirm whether BlackCat was responsible for the attack but has confirmed that the group is taking credit.

Norton told Maine regulators the hacking incident affected 2.5 million current and former patients and employees, as well as their dependents and beneficiaries, including 385 Maine residents.

The entity previously reported the incident in July to federal regulators as affecting 501 individuals, a placeholder estimate at the time (see: Class Action Attorneys Circling Major Healthcare Breaches).

Within days of filing its report to the Department of Health and Human Services, at least one proposed class action lawsuit was filed in federal court against Norton alleging negligence in the entity’s failure to prevent the breach, among other claims.

That complaint, filed in the U.S. District Court for the Western District of Kentucky – Louisville Division by Lanisha Malone, a plaintiff identified as a longtime patient and former employee of Norton, was voluntarily dismissed without prejudice in late October.

Malone’s lawsuit cited several media reports alleging that stolen data had been leaked on the website of ransomware group BlackCat.

Attorneys representing Malone in the lawsuit did not immediately respond to ISMG’s request for comment on the dismissal and the latest developments in the Norton breach case.

As of Monday, Norton appears to face at least one other lawsuit related to the data breach, filed in Jefferson County Circuit Court in Kentucky.

In the statement to ISMG, a Norton spokeswoman confirmed that there is still pending litigation in the matter but declined further comment. She said the organization is taking measures to enhance its network security safeguards.

Breach Details

In its report to Maine regulators, Norton said that on May 9 it had discovered that it was experiencing a cybersecurity incident, which was later determined to be a ransomware attack. The entity said it had notified the FBI and begun to investigate the incident with the assistance of outside legal counsel and a forensic security firm.

Based on the investigation, Norton found that an unauthorized actor had been able to access certain network storage devices between May 7 and May 9 but did not access Norton Healthcare’s medical record system or Norton MyChart patient portal.

Between May and November 2023, Norton said, it had worked to analyze the scope of the incident and review potentially exfiltrated documents to identify which individuals and types of data were affected. That process “proved to be time-consuming,” and the review was not completed until mid-November 2023, Norton said.

The type of data potentially compromised includes name, contact information, Social Security Number, birthdate, health information, insurance information and medical identification numbers.

“In some instances, the data may also have included driver’s license numbers or other government ID numbers, financial account numbers, and digital signatures,” Norton said.

Norton is offering affected individuals 24 months of complimentary credit and identity monitoring. The entity said it had begun to restore its systems from secure backups on May 10.

“To date, Norton Healthcare has not detected any additional indicators of compromise as its networks have been restored,” the notice said.

BlackCat Claimed Credit

In May, while Norton was initially responding to the incident, some media outlets, including WDRB in Kentucky, had reported that BlackCat leaked employee and patient data on its dark web site. The 4.7 terabytes of data that BlackCat allegedly claimed to have exfiltrated included employees’ names, Social Security numbers and birthdates, as well as patients’ personal information, credit card numbers and medical history.

While Norton is now dealing with notifying millions of individuals affected by the incident, BlackCat is reportedly struggling with its own problems.

The data leak site for Alphv/BlackCat, as well as its Tox peer-to-peer instant messaging account, have remained offline since Thursday, and some researchers are convinced that the shutdown was caused by law enforcement action (see: Ransomware Group Offline: Have Police Seized Alphv/BlackCat?) .

Alphv/BlackCat was the subject of an alert by HHS’ Health Sector Cybersecurity Coordination Center in January (see: BlackCat, Royal Among Most Worrisome Threats to Healthcare).

While LockBit this past year again accounted for the largest number of known attacks tied to any group – 25% of all victim listings – BlackCat came in second, accounting for 11% of listings, and healthcare remained the most targeted sector, Cisco Talos reported in an annual review of cybercrime and cyberattack trends covering the 12-month period ending on Sept. 30.