Norton Healthcare Failed to Stop Ransomware Attack, Data Breach Lawsuit Claims

A Kentucky health system that suffered a ransomware attack in May has been hit with a Milberg class action lawsuit for allegedly failing to protect the private data of approximately 2.5 million people, exposing them to identity theft crimes.

Anyone whose information may have been impacted is eligible to join this lawsuit as a class member and receive a share of any verdict or settlement that results.

Details of the Ransomware Attack

A Notice of Security Incident posted on the Norton Healthcare Inc. website states that, on May 9, 2023, Norton discovered a cybersecurity incident that was later determined to be a ransomware attack.

Norton’s investigation “determined that an unauthorized individual(s) gained access to certain network storage devices between May 7, 2023, and May 9, 2023.”

Norton reported that the data of approximately 2.5 million patients, employees, and dependents was exposed in the data breach, including:

• Contact information
• Social Security numbers
• Dates of birth
• Health information
• Insurance information
• Medical information
• Driver’s license numbers
• Other government ID numbers
• Financial account numbers
• Digital signatures

Impacted individuals, including the lead plaintiff in Milberg’s lawsuit, began receiving letters from Norton in December 2023 notifying them that their information may have been exposed in the data breach.

Lawsuit Allegations

Milberg’s data breach lawsuit against Norton was filed on December 14, 2023 in U.S. District Court for the Western District of Kentucky. It accuses Norton of negligence, breach of fiduciary duty, and violations of privacy and security rules under the Health Insurance Portability and Accountability Act, as well as violations of the Kentucky Consumer Protection Act.

The lawsuit seeks monetary relief for class members and a court order forcing Norton to implement cybersecurity best practices, which the lawsuit claims were not implemented by Norton at the time of the cyberattack.

“Norton should not be permitted to retain the money belonging to Plaintiff and Class members because Norton failed to adequately implement the data privacy and security procedures for itself that Plaintiff and Class members paid for and that were otherwise mandated by federal, state, and local laws and industry standards,” according to the complaint.

Identity thieves use personal information for a variety of crimes, including credit card fraud, phone or utilities fraud and bank/finance fraud. In addition, identity thieves may obtain a job using the victim’s SSN, rent a house, or receive medical services in the victim’s name, and may even give the victim’s personal information to police during an arrest.

The plaintiff says victims of the Norton data breach should also be compensated for the time and money they spend to address the effects of the data breach, including increased risks of identity theft and medical identity theft.

She adds that the data breach notification letter from Norton provides “scant” detail about the incident and the steps that Norton is taking to address it. The notification does not provide the dates of Norton’s investigation, details of what caused the data breach, the vulnerabilities exploited, or details of the remedies implemented to ensure such a breach does not occur again, the plaintiff says.

Cybersecurity attacks on hospitals and health systems have been on the rise in recent years. A December announcement from the Department of Health and Human Services about new proposed cybersecurity measures for the healthcare sector notes that from 2018 – 2022, there was a 93% increase in data breaches and a 278% increase in ransomware attacks targeting healthcare organizations.

Proposed Data Breach Classes

The proposed Norton data breach class action identifies two classes:

• A Nationwide Class composed of all persons in the United States whose personally identifiable information (PII) and personal health information (PHI) was accessed by and disclosed to unauthorized persons in the data breach, including all persons who were sent a notice of the data breach.
• A Kentucky Class consisting of all persons in the Commonwealth of Kentucky whose PII/PHI was accessed by and disclosed to unauthorized persons in the data breach, including all persons who were sent a notice of the data breach.

Class members are represented by Milberg Senior Partner John C. Whitfield, who has more than 40 years of experience and practices out of the firm’s Kentucky office. Mr. Whitfield is one of the premier trial attorneys in the state and certified by the National Board of Trial Advocacy as a civil trial specialist.

Since 1965, Milberg—the firm that pioneered federal class action litigation—has filed thousands of class actions, won over $50 billion for our clients, set groundbreaking legal precedents, and prompted meaningful changes in how big companies do business.