LOUISVILLE, Ky. (WDRB) -- Norton Healthcare said about 2.5 million people will soon receive letters in the mail informing them they were possibly affected by a ransomware attack in May that exposed a wide array of sensitive information.

Norton spokeswoman Renee Murphy said Tuesday that the letters are being sent to "each of the potentially impacted individuals for whom we had mailing addresses."

The disclosure reveals the widespread scope of the May 2023 cyber attack. For context, the population of the Louisville-southern Indiana metro area is about 1.3 million people.

Murphy declined to say how the incident was resolved, only saying "we did not make any ransom payment." She hasn't responded when asked if the stolen information was returned as a result of an insurance claim.

Norton, one of the three large health care providers in Louisville, has been tight-lipped since the incident occurred.

Last week, seven months after the attack, Norton said its investigation found neither the company's medical record system nor its MyChart system were accessed. And for the first time, Norton called the breach a "ransomware attack." The company said it notified federal law enforcement officials and began "working with a respected forensic security provider to investigate and terminate the unauthorized access."

The investigation found that "an unauthorized individual(s) gained access to certain network storage devices" between May 7-9 but "did not access Norton Healthcare's medical record system or Norton MyChart."

Norton said the "nature and scope of" the incident "required time to analyze, a process that was substantially completed in mid-November."

Files that were impacted included personal information "primarily" about patients, employees and dependents, the company said. Impacted information varied from person to person, and may have included: name, contact information, Social Security Number, date of birth, health information, insurance information, and medical identification numbers, Norton said. Driver's license numbers and other government ID numbers, financial account numbers or digital signatures may have also been included in the data.

The breach has been the subject of speculation for months as the company worked to recover its information, and patients struggled to obtain prescriptions and schedule appointments.

Moving forward, Norton said it was working with external cybersecurity experts and federal law enforcement to "terminate the unauthorized access" and is "further enhancing its security safeguards."

"Individuals whose information may have been impacted can sign up for two years of credit monitoring by following the instructions in written notification letters that are being mailed," Norton said, encouraging those impacted to "remain vigilant and continue reviewing account statements for unusual activity."

Adrian Lauf is a computer science and engineering professor at University of Louisville and has researched cyber security.

Lauf said based off potential information that was compromised, insurance fraud is a possible threat, and warns people to keep an eye on any fraudulent insurance claims.

Lauf also said to err on the side of caution, and suggests contacting a national credit bureau to either submit a fraud alert and/or initiate a credit freeze. He also suggests to verify or double-check and unknown numbers or emails that contact you.

"I always suggest treat everyday as if your information has been stolen and your identity is not private," Lauf said.

A federal class action lawsuit was filed July 21 against Norton Healthcare on behalf of employees and patients whose personal information was stolen from Norton's servers in a cyber attack earlier this year. Despite having knowledge of the May 9 incident, the lawsuit accuses the network of failing to notify the people affected or the state attorneys general offices in the affected areas. 

A hacker group called BlackCat claimed responsibility for the attack and leaked files as proof. Employees' names, social security numbers and birth dates as well as patients' personal information, credit card numbers and medical history are contained in documents obtained by WDRB News and available publicly on the dark web, a corner of the internet accessible via specialized web browsers. They had not been redacted, and appear to be authentic.

The documents appeared to show a large amount of Norton's financial information, including operating accounts and payroll accounts with a balance of tens of millions of dollars, credit card information, confidentiality agreements, patient imaging orders, vendor and bank information and business invoices.

Norton serves about 600,000 patients a year with nearly $5 billion in assets. 

Related Stories:

Copyright 2023 WDRB Media. All Rights Reserved.

If you have information about a story you think the WDRB Investigates Team should look into, you can email investigate@wdrb.com or call the WDRB Investigates line at 502-322-1297.