Norton Healthcare, which runs eight hospitals and more than 30 clinics in Kentucky and Indiana, has admitted crooks may have stolen 2.5 million people's most sensitive data during a ransomware attack in May.
During the intrusion, the criminals accessed names, contact information, Social Security Numbers, dates of birth, and may have included may have also included driver's license and government ID numbers, financial account information, and digital signatures.
Health information, insurance information, and medical ID numbers belonging to former patients, employees, and employee dependents and beneficiaries was also at risk, according to a data breach disclosure filed with the Maine Attorney General's office.
The not-for-profit healthcare system said it discovered the security incident, later determined to be a ransomware infection, on May 9, two days after the intrusion.
"Our investigation determined that an unauthorized individual(s) gained access to certain network storage devices between May 7, 2023, and May 9, 2023, but did not access Norton Healthcare's medical record system or Norton MyChart," Norton said in a statement on its website.