Norton Healthcare Failed to Prevent May 2023 Data Breach, Class Action Alleges

New to ClassAction.org? Read our Newswire Disclaimer

Norton Healthcare, Inc. faces a proposed class action over a May 2023 cyberattack during which the personal information of approximately 2.5 million individuals was compromised.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

The 31-page lawsuit says the defendant, a healthcare system that operates hospitals in Kentucky and Southern Indiana, began notifying affected individuals in early December 2023 that it had experienced a ransomware attack between May 7 and May 9 of this year. During this time, unauthorized individuals were able to access certain network storage devices where highly sensitive data belonging to patients, employees and dependents was stored unencrypted, the case alleges.

According to Norton Healthcare’s online notice of the incident, information stolen in the breach may vary from person to person but could include names, contact information, Social Security numbers, dates of birth, health information, insurance details and medical identification numbers. Some individuals may have also had their financial account numbers, digital signatures and driver’s license or other government ID numbers exposed, the notice adds.

The complaint claims that the data breach was a result of the defendant’s failure to maintain reasonable cybersecurity measures to protect consumers’ private information from unauthorized access and disclosure.

“Had the information been properly secured consistent with industry standard and best practices, the data thieves would have exfiltrated only unintelligible data,” the filing contends.

The lawsuit stresses that those whose information was leaked in the breach now face a significant, lifelong risk of identity theft and must pay out-of-pocket expenses associated with the fraudulent use of their personal information. 

Per the suit, the healthcare system failed to provide additional details about the incident in the notice letter it sent to victims on December 8.

“Norton’s Notice does not provide the dates of Defendant’s investigation, details of the root cause of the Data Breach, the vulnerabilities exploited, or details of the remedial measures undertaken to ensure such a breach does not occur again,” the case says. “To date, these critical facts have not been explained or clarified to [the plaintiff] and Class members, who retain a vested interest in ensuring that their [personally identifiable information/protected health information] remain protected.”

The lawsuit looks to represent anyone in the United States whose private information was accessed by and disclosed to unauthorized persons in the data breach experienced by Norton Healthcare, including all persons who were sent a notice of the incident.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.