Norton Healthcare Data Breach: Second Class Action Lawsuit Filed
Second Class Action Lawsuit Filed Over North Healthcare Data Breach
A second class action lawsuit has been filed against Norton Healthcare in response to its May 2023 ransomware attack in which the protected health information of up to 2.5 million patients was exposed and potentially stolen.
The first lawsuit was filed in the summer on behalf of plaintiff Lanisha Malone in U.S. District Court after her personal information was misused. She was contacted by her bank to inform her about a suspicious $1,5000 charge to her account which had been blocked. The lawsuit alleged the Louisville, KY-based health system had failed to implement appropriate security measures to safeguard the sensitive data of patients and that Norton Healthcare had failed to issue timely notification letters to allow the affected patients to take steps to protect themselves against identity theft and fraud.
Norton Healthcare announced in May 2023 that an investigation had been launched into a cyberattack; however, at the time the extent of the breach had yet to be established and it was unclear how many individuals had been affected and it was therefore not possible to issue individual notification letters. Norton Healthcare provided an update on the attack in December and confirmed that the cyberattack involved ransomware and that the ransom was not paid. Notification letters started to be mailed on December 8, 2023.
On December 14, 2023, a second class action lawsuit was filed against Norton Healthcare over the ransomware attack on behalf of Margaret Garrett of Crestwood, KY, and similarly situated individuals. The latest lawsuit alleges Norton Healthcare violated the Privacy and Security Rules of the Health Insurance Portability and Accountability Act (HIPAA) by failing to adequately protect patient information and also takes issue with the alleged lack of transparency about the ransomware attack and data breach. Norton Healthcare has now confirmed the types of data potentially compromised in the attack but has been unable to say exactly how many individuals were affected or the specific types of data that were compromised in the attack.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit claims that the sensitive data of patients and employees is now in the hands of cybercriminals and could be used for identity theft and fraud and that now that sensitive data has been sold or posted in public forums, patients and employees could be contacted directly by the ALPHV/BlackCat ransomware group and threatened with further exposure of their sensitive data, especially patients with sexually transmitted diseases or terminal illnesses. Recently, a cyberattack on the Fred Hutchinson Cancer Center has resulted in patients being extorted directly by hackers after the decision was taken by Fred Hutchinson Cancer Center not to pay the ransom.
The lawsuit – Gerrett v. Norton Healthcare Inc. was filed in U.S. District Court for the Western District of Kentucky and seeks class action status, a jury trial, damages, and legal fees. The plaintiff and class are represented by Andrew W. Ferich and Carlynne A. Wagner of Ahdoot & Wolfson, PC, and John C Whitfield of Whitfield Coleman Montoya, PLLC.
Norton Healthcare said it takes the privacy and security of patient and employee data very seriously and plans to vigorously defend itself in any litigation over the ransomware attack and data breach.
December 11, 2023: Norton Healthcare Notifies 2.5 Million Individuals About May 2023 Ransomware Attack
The Kentucky-based health system, Norton Healthcare, has recently confirmed that the personal and protected health information of patients and employees was exposed, and potentially stolen, in a May 2023 ransomware attack. According to the breach report submitted to the Maine Attorney General, the Norton Healthcare data breach has affected up to 2.5 million individuals.
Norton Healthcare operates eight hospitals in Kentucky and Indiana. On May 9, 2023, suspicious activity was identified within its network and it was later determined that ransomware had been used. Immediate action was taken to secure its network and a forensic investigation was conducted to determine the extent of the breach. The investigation confirmed that an unauthorized third party had access to its network between May 7, 2023, and May 9, 2023, including network storage devices that contained sensitive patient and employee data. Norton Healthcare’s medical record system and Norton MyChart were not accessed and remained secure.
Throughout the investigation, Norton Healthcare provided updates on its website, with the first announcement made on May 11, 2023. Norton Healthcare previously confirmed that it was able to recover the affected files from backups, and started to do so on May 10, 2023; however, the investigation and file review have taken several months. Those processes have now concluded and notification letters started to be sent to the affected individuals on December 8, 2023.
The Norton Healthcare data breach was reported to the HHS’ Office for Civil Rights on July 7, 2023, to meet the breach reporting requirements of the HIPAA Breach Notification Rule, but an interim figure of 501 individuals was provided as it had yet to be determined how many individuals had been affected. In mid-November, Norton Healthcare determined that “based on the data available to it, and out of an abundance of caution,” the most efficient approach was to notify all current (as of May 10, 2023) and former patients, employees, employee dependents and beneficiaries about the ransomware attack. If a notification letter is received it does not necessarily mean that personal and protected health information has been stolen, only that sensitive information may have been exposed.
The types of data involved may have included names in combination with one or more of the following: contact information, Social Security Number, date of birth, health information, insurance information, and medical identification number, and for certain individuals, driver’s license number, other government ID numbers, financial account numbers, and digital signatures. Norton Healthcare said it has enhanced its security safeguards since the attack and has not found any additional indicators of compromise as its networks were restored. As a precaution against misuse of data, Norton Healthcare has arranged for the affected individuals to be provided with complimentary credit monitoring and identity theft protection services for up to 24 months.
Norton Healthcare did not confirm the name of the ransomware group behind the attack, but the BlackCat ransomware group claimed responsibility. Norton Healthcare is facing legal action over the attack, with one lawsuit alleging Norton Healthcare failed to implement appropriate safeguards to prevent attacks and did not issue timely notifications to the affected individuals.
