LOUISVILLE, Ky. (WDRB) -- A federal class action lawsuit was filed against Norton Healthcare on behalf of employees and patients whose personal information was stolen from Norton's servers in a cyber attack earlier this year.
The lawsuit was filed in U.S. District Court on Friday, July 21, by Lanisha Malone, a former employee who worked at Norton Healthcare from 2015-22 and a longtime patient of the network. But as a class action lawsuit, it is filed on behalf of anyone affected by the data breach.
To date, Norton Healthcare has been tight-lipped about the May 9 data breach, which it refers to as a "cyber event." That breach has been the subject of speculation for weeks as the company works to recover its information and patients struggle to obtain prescriptions and schedule appointments.
Despite having knowledge of what Norton calls a "cyber event" on May 9, the lawsuit accuses the network of failing to notify the people affected or the state attorneys general offices in the affected areas.
"We intend to vigorously defend ourselves in any litigation associated with the cyber event we experienced earlier this year," Norton spokeswoman Renee Murphy said Tuesday. "However, it is our practice not to comment on any pending litigation."
The lawsuit claims that a wide range of victims' personal data was stolen by hackers, including, "names, addresses, dates of birth, email addresses, Social Security numbers, government identification information/driver’s license numbers, payment/financial institution information, health insurance providers, medical treatment information, medical diagnoses, medications, medical images, and lab results."
As a result of of illegally obtaining this private data, the lawsuit lists a number of opportunities for hackers to further exploit victims' personal information, including, "opening new financial accounts in Class Members' names, taking out loans in Class Members' names, using Class Members' information to obtain government benefits, filing fraudulent tax returns using Class Members' information, filing false medical claims using Class Members' information, obtaining driver's licenses in Class Members' names but with another person's photograph, and giving false information to police during an arrest."
Since the May 9 event, the lawsuit said an online group of cybercriminals going by the name "BlackCat" has taken responsibility for the cyber attack and publicly leaked stolen information as proof.
According to the lawsuit, Norton notified the U.S. Department of Health and Human Services about the data breach around July 7. The lawsuit says Norton was only able to include a "placeholder" of having affected 501 individuals. The lawsuit says, to date, Norton has not provided the actual number of affected people to HHS. Norton said it has reported the breach to HHS, but there is not a list of individuals, as the case is under investigation.
The lawsuit states that Malone, the plaintiff, found out that her private information was on the so-called "dark web" sometime in June, when she was contacted by her bank about a suspicious $1,500 charge on her debit card. The bank was able to block it, but she's also been getting letters and phone calls about car payments she does not owe. She has since had to get new credit and debit cards and spends two hours a week monitoring her transactions and credit reports for suspicious activity.
"Having to do this every week not only wastes her time as a result of Norton's negligence, but it also causes her great anxiety," the lawsuit states. "She is constantly worried about the adverse impact of this Data Breach on her personal and financial safety."
To date, the lawsuit says Malone and other victims have not been notified by Norton that their personal information was hacked.
"Norton knew of the breach since May 9, 2023 and as of July 21, 2023, has not yet notified the victims," the lawsuit states. "Norton offers no explanation of purpose for the long delay on its website. This delay violates HIPAA and other notification requirements and increases the injuries to Plaintiff(s) and Class."
Norton says on its website that the "cyber event" remains under investigation, adding that they "continue to bring systems back online and are close to resuming all operations."
The class action lawsuit accuses Norton of — among other things — negligence in failing to properly protect patient data (including protections recommended by the Federal Trade Commission), breach of contract and unjust enrichment.
The lawsuit is seeking a jury trial, compensatory damages, 10 years of credit monitoring for each affected victim, judgements requiring that Norton properly notify victims and provide ongoing protection for their personal information, as well as other remedies.
Related Stories:
- Norton Healthcare cyber attack highlights record year for data breaches nationwide
- After 2-month wait for mammogram results, Louisville woman says Norton patients are 'due an explanation'
- Norton Healthcare employee, patient information exposed in hack
- Hackers claim responsibility for Norton Healthcare 'cyber event' as Louisville patients await answers
- Norton Healthcare offers guidance on accessing care, answering questions following cyberattack
- Patients remain frustrated 2 weeks after initial cyberattack on Norton Healthcare system
- Norton Healthcare still reeling 2 weeks after cyberattack
- Norton Healthcare still investigating extent, impact of cyberattack
- Norton Healthcare says some surgeries being rescheduled after cyber-hack
- UofL cybersecurity expert says size of Norton Healthcare made it a target for hackers
- Norton Healthcare still evaluating after computer systems hacked
Copyright 2023 by WDRB Media. All rights reserved.
