LOUISVILLE, Ky. (WDRB) – Social Security numbers, bank information and mammogram images were among the sensitive documents leaked online when hackers targeted Norton Healthcare six weeks ago.
The nonprofit Louisville Health System has yet to respond to questions about whether patient or employee information was compromised in the May 9 “cyber incident.” Norton said he is working with the FBI to investigate the incident.
But employees’ names, Social Security numbers and dates of birth, as well as patients’ personal information, credit card numbers and medical history, can be found in publicly available documents on the dark web, a corner of the Internet that can be accessed by special web browsers.
The documents reveal large amounts of Norton financial information, operating accounts and payroll accounts with balances in the tens of millions of dollars, credit card information, confidentiality agreements, patient imaging orders, supplier and bank information and business invoices.
The May 9 “cyber incident” has been the subject of speculation for weeks as the company works to recover the data and patients struggle to get prescriptions and book appointments. A patient concerned that her mammograms were leaked in the hack told Norton that the mammogram records are still in the system but may not be available for comparison now.
Kevin Keyes says his 13-year-old son, Byron, is having trouble taking care of things.
“I’m trying to understand why there’s no correlation, I’m trying to understand why these cases still exist,” said Keyes, who is considering switching health care providers. “No one from Norton told me anything. No one told me the nature of the problem.”
Keyes is also concerned that his family’s personal information was leaked in the hack.
“Both of my children’s personal information is with Norton if someone takes the time to go in there,” he said. “I don’t want to use their information for identity theft or some kind of fraud.”
Several cyber security websites claimed that a hacking group called Blackcat claimed responsibility for the attack and released the files as evidence. Earlier this year, the US Department of Health and Human Services released a presentation about BlackCat Ransomware and its threat to the health sector. HHS Blackcat — which is relatively new and was first discovered in November 2021 — has demanded a ransom of up to $1.5 million and uses so-called “bulletproofs for its website and Bitcoin mixer” to keep transactions anonymous.
In a recent public announcement, Blackcat – sometimes called ALPHV – Norton failed to protect confidential information, the company is making false statements in the news.
“We gave Norton’s executive board members more than enough time, but they failed to show courage in protecting the privacy of their customers and employees,” the statement said.
Norton spokeswoman Renee Murphy said in a written statement Thursday that Blackcat has claimed responsibility for the hack and is continuing to investigate and cooperate with law enforcement.
“The investigation into the May 9, 2023 cyber incident is ongoing,” Murphy said. “Norton Healthcare is working with leading cybersecurity experts on this review and the FBI is involved. We are devoting significant resources to assessing the impact of the incident. Additional information will be provided upon the conclusion of the investigation.” In May, Norton said it “actively” took down network systems after employees saw suspicious activity and received faxes containing threats and demands.
A blue box on Norton’s home page says the incident is under investigation. We continue to bring systems online and are close to resuming all operations.
Norton’s last update on the incident was posted on May 24, nearly a month ago.
In the weeks since the attack, Norton acknowledged that patients were experiencing “long wait times” when trying to reach offices by phone, as well as “delays in network-related capabilities” such as imaging, lab and test results, prescription refills and messaging. MyChart, the system’s electronic medical records software.
Norton is a large healthcare organization serving approximately 600,000 patients annually with approximately $4.7 billion in assets, including five hospitals and eight outpatient centers. The system operates 18 urgent care clinics and 289 doctors’ offices. Norton projects revenue of $3.6 billion by 2022.
Related Stories:
Copyright 2023 WDRB Media. all rights reserved.
If you have information on a story you think the WDRB Investigates team should investigate, you can email research@wdrb.com or call the WDRB Investigates line at 502-322-1297.
[ad_2]