Cyber Incident Victim: Helse Sør-Øst RHF

On January 8, 2018, an unauthorized actor breached the computer network of Health South-East RHF, a Norwegian healthcare organization managing hospitals across nine counties in the country’s southeast region. HelseCERT, Norway’s healthcare sector CERT team, first detected suspicious network traffic originating from Health South-East’s systems, prompting an internal investigation by Sykehuspartner HF, the parent company of Health South-East RHF. The investigation confirmed a severe data breach, with the organization characterizing the attacker as "an advanced and professional player." Health South-East RHF publicly disclosed the incident in mid-January 2018, notifying law enforcement authorities and NorCERT, Norway’s national CERT. In a joint statement, Health South-East RHF and Sykehuspartner HF acknowledged the seriousness of the breach and confirmed immediate measures had been implemented to limit damage, with plans for additional future actions.

The breach potentially compromised healthcare data of 2.9 million individuals—over half of Norway’s 5.2 million population—as Health South-East RHF was the largest of Norway’s four healthcare regions. Norway’s Ministry of Health and Care Services confirmed threat containment measures were active but emphasized ongoing investigations to determine the full scope of exfiltrated data. Local media speculated the suspicious traffic indicated patient data theft, though no definitive confirmation was provided. Health South-East RHF executives faced criticism for prematurely assuring data safety before the investigation concluded, with security researchers and media outlets expressing concerns the breach’s severity was understated. The organization clarified that a discontinued 2016 IT modernization project with Hewlett Packard Enterprise (HPE)—terminated after media exposed inadequate security controls—was unrelated to the breach, a position reinforced by CEO Cathrine Lofthus in press statements.