Records for approximately 2.5 million patients of Louisville, Kentucky-based Norton Healthcare were acquired by hackers in a data breach earlier this year.
According to a legal filing, hackers gained access to certain network storage devices between May 7 and May 9. Maine’s Attorney General publicly filed information submitted by attorneys representing Norton Healthcare on Friday. While a small number of Maine’s residents were impacted, the state requires organizations experiencing a breach to submit information.
Read more: Why healthcare is a 'one-stop shop' for hackers
The hack also included an unspecified number of current and former employees.
Records accessed contained personal information about patients, employees and their dependents, an attorney representing Norton wrote in the filing. The health system said Social Security and driver’s license numbers, dates of birth, health and insurance information along with financial account information might have been compromised.
Norton said the hackers did not access its medical record system or Epic MyChart software. It said the nature and scope of the incident required time to analyze, a process that was substantially completed in mid-November.
In a statement, a Norton spokesperson said the system takes the personal information of patients and employees seriously, and that measures are being taken to further enhance its network security.
Breaches are part of a larger trend throughout healthcare. Cybersecurity threats to healthcare organizations have grown exponentially in the last few years, according to a report published earlier this year by managed security company Trustwave. Nearly 25% of cyberattacks in 2022 targeted the healthcare industry, according to data cited in the report.
While data from technology giant IBM placed the percentage of healthcare breaches at around 5.8% of the total, experts said the industry will remain a target because patient records are relatively difficult to change.
“If you have a credit card number that's lost or stolen, you can have the bank change it the next day,” Limor Kessem, senior managing consultant on cyber crisis management at IBM, said in an interview this summer. “But if you have healthcare information and stuff your insurance uses, it's a lot harder to modify that--if at all.”
A separate report from IBM noted healthcare data breaches have been the most expensive of any industry for 13 consecutive years. Over the past three years, the average cost of breaches to healthcare organizations has grown more than 50%.
Norton is offering two years of identity protection services to patients and employees who might have been affected.