Norton Healthcare Settles Class Action Ransomware Lawsuit for $11 Million
A class action lawsuit against Norton Healthcare over a 2023 ransomware attack has been settled for $11 million. The settlement has received preliminary approval from the court and provides medical monitoring services, reimbursement of out-of-pocket losses, compensation for lost time, and cash payments for the class members.
Norton Healthcare is a nonprofit Kentucky-based health system with eight hospitals and hundreds of other care facilities in and around Louisville, Kentucky, and southern Indiana. On or around May 9, 2023, Norton Healthcare discovered that hackers had gained access to its network. The forensic investigation confirmed that a threat actor had access to certain network storage devices between May 7 and May 9, 2025, and obtained sensitive data relating to current and former patients, employees, and their dependents and beneficiaries.
The ALPHV/BlackCat ransomware group claimed responsibility for the attack and leaked approximately 4.7 terabytes of data on its dark web data leak site. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, health information, health insurance information, driver’s license numbers, other government ID numbers, financial information, and other sensitive data. The Department of Health and Human Services was informed that the data breach affected 2.5 million individuals.
Several class action lawsuits were filed in response to the data breach. The lawsuits were consolidated into a single action as they had overlapping claims. The consolidated lawsuit – Abby Berthold, et al. v. Norton Healthcare, Inc., et al. – was filed in Jefferson Circuit Court, Division Two, in Kentucky and named Abby Berthold, Charlotte D’Spain, Lanisha Malone, Deloise Simmson, and Alexandra Schachtner as the class representatives.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The consolidated class action lawsuit alleged that Norton Healthcare was at fault and could have prevented the cyberattack and data breach had reasonable and appropriate security measures been implemented. The plaintiffs asserted claims of negligence, breach of implied contract, unjust enrichment, and intrusion upon seclusion/invasion of privacy. Norton Healthcare denies fault, liability, and wrongdoing, and sought to have the lawsuit dismissed. The plaintiffs responded to the motion to dismiss, but there was no ruling from the court on that motion. Following mediation, a settlement was agreed to resolve the litigation, with no admission of wrongdoing or liability by the defendants. Under the terms of the settlement, Norton Healthcare will establish an $11,000,000 settlement fund to cover attorneys’ fees and expenses, settlement administration and notification costs, service awards for the class representatives, and class member benefits.
All class members are entitled to claim three years of medical data monitoring services (CyEx Medical Shield Pro). Class members may also submit a claim for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach. The reimbursement claims have been capped at $2,500 per class member. A claim may also be submitted for compensation for up to 4 hours of lost time dealing with matters related to the data breach at $20 per hour. A cash payment may also be claimed. The cash payments will be subject to an adjustment based on the number of claims received, but will be no less than $5 per class member.
The deadline for objecting to and opting out of the settlement is April 20, 2026. The final fairness hearing has been scheduled for May 15, 2026, and claims must be submitted by May 18, 2026.
December 18, 2023: Norton Healthcare Data Breach: Second Class Action Lawsuit Filed
A second class action lawsuit has been filed against Norton Healthcare in response to its May 2023 ransomware attack, in which the protected health information of up to 2.5 million patients was exposed and potentially stolen.
The first lawsuit was filed in the summer on behalf of plaintiff Lanisha Malone in the U.S. District Court after her personal information was misused. She was contacted by her bank to inform her about a suspicious charge to her account, which had been blocked. The lawsuit alleged the Louisville, KY-based health system had failed to implement appropriate security measures to safeguard the sensitive data of patients and that Norton Healthcare had failed to issue timely notification letters to allow the affected patients to take steps to protect themselves against identity theft and fraud.
Norton Healthcare announced in May 2023 that an investigation had been launched into a cyberattack; however, at the time, the extent of the breach had yet to be established, and it was unclear how many individuals had been affected, and it was therefore not possible to issue individual notification letters. Norton Healthcare provided an update on the attack in December and confirmed that the cyberattack involved ransomware and that the ransom was not paid. Notification letters started to be mailed on December 8, 2023.
On December 14, 2023, a second class action lawsuit was filed against Norton Healthcare over the ransomware attack on behalf of Margaret Garrett of Crestwood, KY, and similarly situated individuals. The latest lawsuit alleges Norton Healthcare violated the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately protect patient information and also takes issue with the alleged lack of transparency about the ransomware attack and data breach. Norton Healthcare has now confirmed the types of data potentially compromised in the attack, but has been unable to say exactly how many individuals were affected or the specific types of data that were compromised in the attack.
The lawsuit claims that the sensitive data of patients and employees is now in the hands of cybercriminals and could be used for identity theft and fraud and that now that sensitive data has been sold or posted in public forums, patients and employees could be contacted directly by the ALPHV/BlackCat ransomware group and threatened with further exposure of their sensitive data, especially patients with sexually transmitted diseases or terminal illnesses. Recently, a cyberattack on the Fred Hutchinson Cancer Center resulted in patients being extorted directly by hackers after the decision was taken by Fred Hutchinson Cancer Center not to pay the ransom.
The lawsuit – Gerrett v. Norton Healthcare Inc. was filed in U.S. District Court for the Western District of Kentucky and seeks class action status, a jury trial, damages, and legal fees. The plaintiff and class are represented by Andrew W. Ferich and Carlynne A. Wagner of Ahdoot & Wolfson, PC, and John C Whitfield of Whitfield Coleman Montoya, PLLC.
Norton Healthcare said it takes the privacy and security of patient and employee data very seriously and plans to vigorously defend itself in any litigation over the ransomware attack and data breach.
December 11, 2023: Norton Healthcare Notifies 2.5 Million Individuals About May 2023 Ransomware Attack
The Kentucky-based health system, Norton Healthcare, has recently confirmed that the personal and protected health information of patients and employees was exposed, and potentially stolen, in a May 2023 ransomware attack. According to the breach report submitted to the Maine Attorney General, the Norton Healthcare data breach has affected up to 2.5 million individuals.
Norton Healthcare operates eight hospitals in Kentucky and Indiana. On May 9, 2023, suspicious activity was identified within its network, and it was later determined that ransomware had been used. Immediate action was taken to secure its network, and a forensic investigation was conducted to determine the extent of the breach. The investigation confirmed that an unauthorized third party had access to its network between May 7, 2023, and May 9, 2023, including network storage devices that contained sensitive patient and employee data. Norton Healthcare’s medical record system and Norton MyChart were not accessed and remained secure.
Throughout the investigation, Norton Healthcare provided updates on its website, with the first announcement made on May 11, 2023. Norton Healthcare previously confirmed that it was able to recover the affected files from backups and started to do so on May 10, 2023; however, the investigation and file review have taken several months. Those processes have now concluded, and notification letters started to be sent to the affected individuals on December 8, 2023.
The Norton Healthcare data breach was reported to the HHS’ Office for Civil Rights on July 7, 2023, to meet the breach reporting requirements of the HIPAA Breach Notification Rule, but an interim figure of 501 individuals was provided, as it had yet to be determined how many individuals had been affected. In mid-November, Norton Healthcare determined that “based on the data available to it, and out of an abundance of caution,” the most efficient approach was to notify all current (as of May 10, 2023) and former patients, employees, employee dependents, and beneficiaries about the ransomware attack. If a notification letter is received, it does not necessarily mean that personal and protected health information has been stolen, only that sensitive information may have been exposed.
The types of data involved may have included names in combination with one or more of the following: contact information, Social Security Number, date of birth, health information, insurance information, and medical identification number, and for certain individuals, driver’s license number, other government ID numbers, financial account numbers, and digital signatures. Norton Healthcare said it has enhanced its security safeguards since the attack and has not found any additional indicators of compromise as its networks were restored. As a precaution against misuse of data, Norton Healthcare has arranged for the affected individuals to be provided with complimentary credit monitoring and identity theft protection services for up to 24 months.
Norton Healthcare did not confirm the name of the ransomware group behind the attack, but the BlackCat ransomware group claimed responsibility. Norton Healthcare is facing legal action over the attack, with one lawsuit alleging that Norton Healthcare failed to implement appropriate safeguards to prevent attacks and did not issue timely notifications to the affected individuals.
