Norton Healthcare, Louisville’s 2nd largest employer, still dealing with May 9 incident.

Last month, Norton Healthcare took its computer systems offline after the IT department noticed suspicious activity on their network. Nearly one month later, Norton is still dealing with the fallout. The outage has caused long wait times for both phone calls and in-person patient visits and procedures, as well as “delays in network-related capabilities,” including imaging, lab and test results, prescription refills, and the Norton MyChart patient messaging platform.

It’s important to clarify that this incident is not an indictment of Norton HealthCare’s cybersecurity measures. From all indications, like many large healthcare organizations, Norton had robust security systems in place and followed industry standard practices. The unfortunate reality, however, is that cyber attackers are becoming increasingly sophisticated, with methods and tactics continually evolving to outpace even the most advanced defenses.

Scary stuff.

Here are 5 things to know about the incident:

1) The incident occured on May 9 but came to light on May 10

On May 9, the information services team discovered suspicious network activity and deployed defensive measures. On May 10, Norton posted the following update on their Facebook page:

The cyber attack came to light on May 10, when the company announced on Facebook about an IT disruption that affected its services.

On May 12, Norton again took to its Facebook page to confirm they were the victim of a cyber event.

2) The ransomware gang used a FAX machine (yes a fax machine) to communicate their demands

If you thought fax machines were were only used by government agencies and high school football players on National Signing Day, think again. Cybercriminals use fax to communicate with their victims more than you’d think because it’s much harder to trace the origins of a fax.

3) Their network was NEVER taken over or shut down by an external force

It’s important to understand that Norton noticed suspicious network activity and took a proactive stance by voluntarily taking their networks offline.

Chief Marketing and Communications Officer Renee Murphy said, “At no point did an external force take control of or shut down our network. All of our facilities remain open and patient care continues,” Murphy said.

Kudos to the Norton security team for keeping the network within their control, but with the network offline, it has forced Norton to revert back to manual and paper processes to maintain daily services.

4) AlphV (BlackCat) claimed responsibility for the attack and leaked about seven dozen files as proof

According to, the threat actors posted a public announcement warning Norton’s Executive and Board Members to take the matter more seriously. Here is a link to their public announcement (warning-language is NSFW).

ALPHV/BlackCat ransomware group is among the top three ransomware gangs according to Healthcare sector continues to be one of its preferred targets.

5) Norton has not specified whether patients’ data has been accessed

Given the severity of the ongoing situation, Norton is limited to what it can share publicly. However, the company released a May 24 Norton Healthcare network update on their website, which reads, “We are here to serve the community and we want to keep you informed about the cyber event that happened to our network on May 9. The event remains under investigation. We continue to bring systems back online and are closer to resuming all operations.” goes on to report that “BlackCat also claims to have exfiltrated 4.7 TB of data. The Norton sample includes personal and sensitive information of patients. It also includes other types of files including images of checks and bank statements, and files with employees’ personnel information such as name, date of birth, and Social Security number.”