Those whose information may have been compromised in a cyberattack targeting a Kentucky-based hospital network can now seek compensation of up to $2,500 and other benefits under a proposed class action settlement.
Norton Healthcare, which operates nine hospitals and hundreds of clinics in Kentucky and Indiana, has agreed to pay $11 million to settle the federal lawsuit stemming from a May 2023 data breach. The settlement received preliminary approval in January, and a final approval hearing is scheduled for May 15, 2026, in Jefferson Circuit Court in Kentucky.
Notice letters have been sent to class members over the past month. Court filings estimate that nearly 2.5 million current and former patients and employees are covered by the settlement.
Under the agreed terms, class members may claim up to $2,500 each for unreimbursed out-of-pocket expenses such as bank fees and credit report fees that are “fairly traceable” to the data incident.
Norton also agreed to compensate class members for time spent dealing with the breach. Eligible claimants may receive up to $80 for lost time, calculated at $20 per hour for up to four hours for the time they spent to freeze their credit, address actual fraud, and monitor bank statements.
In addition to documented losses and lost-time claims, all class members may be eligible for a one-time cash payment of at least $5. That payment will come from the net settlement fund after administrative costs, attorneys’ fees, and service awards for lead plaintiffs are paid.
If the total number of valid claims exceeds the funds available for the one-time cash payment, payments for valid out-of-pocket loss claims may be reduced on an equal-share basis. The adjustment would be made to ensure that the one-time cash payment remains at least $5.
To file a claim online, class members are directed to the court-authorized settlement website, where they can enter the class member ID listed on their notice. They may also download a PDF claim form, print it, complete it, and mail it to the settlement administrator listed on the website.
All of the claim forms must be submitted online or postmarked by May 18, according to the website. Class members who object to the settlement or wish to opt out must submit their objection or exclusion request by April 20.
The settlement comes nearly three years after a lawsuit was filed alleging that Norton failed to protect confidential personal and health information, and that the hospital network failed to promptly notify affected individuals and state attorneys general in affected jurisdictions. If finally approved, the settlement would resolve the claims with no admission of wrongdoing or liability on Norton’s part.
“This settlement brings resolution for those potentially affected,” a spokesperson for Norton said in a statement. “We look forward to moving toward final approval according to the Court’s schedule.”
According to the complaint, the potentially exposed information included names, addresses, Social Security numbers, driver’s license numbers, insurance policy information, medical histories, and diagnoses, banking and credit card information, and other sensitive data.
AlphV/BlackCat, a Russia-based ransomware group with suspected ties to the Russian government, claimed responsibility for the attack. According to the complaint, the group posted on the dark web that it had stolen “4.7 terabytes of data” and published samples that allegedly included victims’ personal information.
Ransomware is a type of malicious software that can lock victims out of data, devices, or networks by encrypting files or otherwise disabling access. Attackers then demand payment, often in cryptocurrency, in exchange for a decryption key or restored access.
In Norton’s case, the company told state government officials that it did not pay a ransom to the attackers.
Friends Read Free
Copy
Facebook
Tweet
