Privacy, Incident Response, Ransomware

Cyberattack on Norton Health spurs long waits, prescription and lab delays

Medications prepared in a pharmacy.

The FBI is actively working with Norton Healthcare to determine the scope of an ongoing cyberattack, as the Louisville, Kentucky, health network works to recover a number of patient care systems.

On May 9, the information services team discovered suspicious network activity and deployed defensive measures. While data extortion and ransomware were not mentioned, the team also received a fax “containing threats and demands,” a common tactic used by threat groups. 

At the time of the fax, the network remained operational. Norton Healthcare officials stressed that the systems were proactively brought down in a controlled fashion: “at no point did an external force take control of or shut down our network.”

The information services team was able to thwart the impact of the attack and keep the network within their control. But with the network offline, clinicians are leveraging manual and paper processes to maintain services. All Norton Healthcare facilities remain open for all patient care.

However, the outage has caused long wait times for both phone calls and in-person patient visits, as well as “delays in network-related capabilities,” including imaging, lab and test results, prescription refills, and the Norton MyChart patient messaging platform.

The response team is “working as quickly as we can to bring systems back online,” while prioritizing patients with urgent medical needs. Patients seeking same-day appointments for illnesses, minor injuries, or other non-emergency care are urged to visit an urgent care location, rather than the main hospital. 

What’s more, a May 22 update informs patients that providers are working through a backlog of messages sent through its online patient time, which is causing lengthy response times of three to five business days. Patients were also notified that providers are still calling “all uncontrolled medications” to desired pharmacies.

“This has been a challenging time for our organization, and we have continued to care for and show compassion to our community,” officials said in a statement. “We understand the community has many questions. We know our patients have questions. We do too and experts are working as quickly as they can to get answers.”

Currently, Norton Healthcare is analyzing each impacted application to ensure all risks have been mitigated before bringing devices back online. The response team “is working as quickly as they can. This is an incredibly time-consuming but critical process.”

Norton Healthcare is the third U.S.-based health network to report cyber-related outages this month. Murfreesboro Medical Clinic & SurgiCenter in Tennessee just brought the majority of its systems back online more than three weeks after a cyberattack struck on April 22. Richmond University Medical Center also fell victim in early May, though details on the incident are limited.

Other recent outages include Point32 Health, Aspen Dental, and Cornwall Community Hospital in Ontario. Local news outlets also show a possible closure of the Oklahoma Institute of Allergy, Asthma, and Immunology by an apparent cyberattack more than two weeks ago. The report remains unconfirmed.

19K PillPack users informed of account access

Amazon Pharmacy’s PillPack arm recently began informing a subset of users that their accounts were accessed by an unknown actor. Of the 19,032 hacker accounts, 3,614 contained prescription information.

First discovered on April 3 as part of routine security monitoring, the PillPack team discovered suspicious log-in attempts against some customer accounts. The subsequent investigation determined a threat actor accessed the accounts over the course of four days, between April 2 and April 6.

The actor was able to access the accounts using valid customer email addresses and passwords. The team confirmed those credentials were not stolen from PillPack. Officials say this evidence suggests “customers used the same email and password for another website” that was likely accessed by the attacker.

The compromised data included email addresses, details related to PillPack prescriptions, and contact information of prescribing providers. No Social Security numbers or payment cards were affected.

After discovering the access, PillPack reset all account passwords to prevent a recurrence, in addition to enabling multi-factor authentication on all accounts. Reports show MFA is vastly more effective than passwords alone for account and device security.

Data exfiltration at Credit Control Corp. hits 13 providers, 346K patients

A systems’ hack and subsequent data exfiltration incident against R&B Corporation of Virginia, doing business as Credit Control Corporation, led to the theft of protected health information for 345,523 patients tied to 13 provider networks. CCC is a third-party collections agency for the healthcare sector.

On March 7, CCC found “unusual activity” on several network systems and promptly isolated the devices. The response team found an attacker accessed and copied “certain files” from the network between March 2 and March 7.

A review confirmed the stolen data varied by patient and included names, SSNs, contact details, and information tied to the “business partner,” such as account numbers, balances, and dates of service. All affected individuals are being provided credit monitoring and identity protection services.

The impacted providers include Sentara Health System, Riverside Health System, UVA Health, Bayview Physicians, Pariser Dermatology Specialists, Valley Health System, Dominion Pathology, Children’s Hospital of the King’s Daughters Health System, VCU Health System, Chesapeake Regional Medical Center, Mary Washington Healthcare, and Tidewater Physicians.

CCC has since confirmed its network security, reviewed relevant files, and informed federal law enforcement.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.