The health records of almost three million people in Norway have been compromised in an attack described as “advanced” and “professional” by authorities in the country.
The attackers breached the systems of Norway’s Health South East RHF, spilling the records of people in the counties of Østfold, Akershus, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder, Vest-Agder – and the capital Oslo.
The breach was announced on Monday by the authority, after it had been notified by HelseCERT, the Norwegian healthcare sector’s national information security centre, that there had been abnormal activity against computer systems in the region.
HelseCert said that data theft had taken place and that the hackers were “advanced” and “professional”.
“We are in a phase where we try to get an overview. It’s far too early to say how big the attack is. We are working to acquire knowledge of all aspects,” Kjetil Nilsen, director of NorCERT, the National Security Authority (NSM), which is also helping with the investigation, told Norwegian publication VG.
“Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities,” he added.
Meanwhile the CEO of Health South East RHF, Cathrine M. Lofthus said that the situation was “very serious” and that measures had been taken to limit the damage caused by the hack.
She said that the potential data theft has not had any impact on patient care or patient safety, as yet, and added that staff within the health sector and government were working to resolve the situation.
The police have been notified, but as yet there are more questions than answers.
Nilsen said that the data could have been hacked to use for cyber espionage, or perhaps it is likely to be used by someone who provides services based on healthcare information.
However, as the health records would also include people who work in government, secret services, military and intelligence staff, politicians and other public individuals, there are some that believe the data could be used for other purposes.
Nyvoll Nygaard, an adviser with the Norwegian Police Security Service, said that it’s possible that someone working for a foreign state intended to collect information that may harm fundamental national interests relating to the area’s infrastructure.