A hacker or hacker group might have stolen healthcare data for more than half of Norway's population, according to reports in local press.
The attack took place on January 8 and came to light this week when Health South-East RHF, a healthcare organization that manages hospitals in Norway's southeast region, announced a security breach on its website.
The organization said HelseCERT, the country's CERT division for the healthcare sector, had identified suspicious traffic coming from Health South-East's computer network.
An investigation by the IT staff at Sykehuspartner HF —Health South East RHF parent company— revealed evidence of a severe data breach.
Health South-East RHF characterized the attacker as "an advanced and professional player."
Law enforcement has been notified, as well as NorCERT, the country's CERT team.
Health South-East RHF manages healthcare units in nine of Norway's 18 counties. The list includes the counties of Akershus (includes Norway's capital Oslo), Aust-Agder, Buskerud, Hedmark, Oppland, Østfold, Telemark, Vest-Agder, and Vestfold.
"A number of measures have been implemented to remove the threat, and further measures will be implemented in the future," said Norway's Ministry of Health and Care in a statement.
Authorities are still investigating the incident to determine the size of the breach, but local press fears the "suspicious traffic" HelseCERT detected was the hacker siphoning off patient data.
In the autumn of 2016, Health South-East RHF signed a contract with Hewlett Packard Enterprise to modernize its computer systems, but the contract was dropped after local press disclosed poor security controls when accessing patient healthcare information.
"We do not see any connection between this attack and that project," Cathrine Lofthus, CEO of Health South-East RHF told a Norwegian newspaper.
Norwegian security researchers have also been very critical of Health South-East RHF whose top managers have been telling users to relax as their data was safe even before finishing the investigation into the hack. Many fear the hack is much worse than the organization is letting believe.
The leak, if confirmed, is still nowhere near to what happened in Sweden, where a government contractor leaked the personal details of all the country's citizens. The person responsible was fined only a half a month's paycheck.