This month, Norton Healthcare, a Kentucky-based health care system, notified individuals affected by a data breach that compromised the personal information of approximately 2.5 million of Norton Health’s patients and employees.
The purported cause of the breach was a May 2023 ransomware attack on Norton Health’s network. As a result of the attack, unauthorized third parties were able to access network storage devices containing patient and employee data. Norton Healthcare reported that the patient and employee data impacted by the breach included: names, contact information, social security numbers, date of birth, health information, insurance information, medical identification numbers, drivers’ license numbers, government ID numbers, financial account numbers, and digital signatures. As Norton Healthcare is a Covered Entity subject to HIPAA, Norton reported the breach to the HHS Office of Civil Rights (“OCR”) in July 2023 while also investigating the extent and scope of the breach to further identify the individuals and types of data that were impacted. Subsequently, Norton notified affected individuals in December 2023.
Organizations storing data and maintaining network servers ensure that their practices are consistent with federal and state data privacy laws that govern how data should be accessed, used, shared, and stored. Norton’s breach affecting such a large group of individuals underscores the importance of protecting systems against ransomware attacks, and promptly mitigating and responding to security incidents when they do occur.
Contact Frier Levitt to speak to an experienced data privacy attorney who can assist in evaluating your organization’s current data practices for deficiencies and compliance, as well as prepare and assist you in the event of security incidents and data breaches.
