Norton Healthcare has agreed to pay $11 million to resolve a class action lawsuit stemming from a major 2023 ransomware attack. Specifically, the settlement covers nearly 2.5 million current and former patients and employees whose personal data was compromised. As a result, this case now stands as one of the most significant healthcare data breach settlements in recent years.
What Triggered the Class Action Lawsuit?
The lawsuit arose after a devastating cybersecurity incident that struck Norton Healthcare in May 2023. In particular, plaintiffs alleged that the Louisville, Kentucky-based health system failed to implement adequate security protocols. Consequently, cybercriminals accessed and stole sensitive personal and protected health information stored on Norton’s network.
The legal claims included negligence, breach of implied contract, unjust enrichment, and invasion of privacy. Although Norton Healthcare denied all wrongdoing, the organization chose to settle rather than face the uncertainty and cost of a prolonged trial. Therefore, the $11 million fund was established to compensate affected individuals.
The BlackCat Ransomware Attack Explained
How the Breach Unfolded
On May 9, 2023, Norton Healthcare first detected suspicious activity within its network. Following this discovery, a forensic investigation confirmed that a threat actor had accessed certain network storage devices between May 7 and May 9, 2023. Subsequently, the notorious ransomware-as-a-service group ALPHV/BlackCat claimed responsibility for the attack and leaked approximately 4.7 terabytes of stolen data on the dark web.
What Data Was Compromised?
As a direct result of the breach, a wide range of sensitive information was exposed, including full names, contact information, dates of birth, Social Security numbers, health and insurance details, driver’s license numbers, financial account numbers, and complete medical history records.
Moreover, Norton Healthcare confirmed it did not pay a ransom in the attack. However, the damage was already done. Ultimately, victims faced serious risks of identity theft, fraudulent charges, and long-term exposure of data that simply cannot be changed — such as Social Security numbers and dates of birth.
Who Is Eligible for Compensation?
Covered Class Members
The settlement covers all individuals who received a data breach notification letter from Norton Healthcare or Norton Hospitals. Specifically, this includes anyone notified that their personal information may have been exposed in the May 2023 incident. Furthermore, court documents estimate that approximately 2,487,683 current and former patients and employees qualify for the settlement.
What the Plaintiffs Claimed
In addition to the eligibility criteria, plaintiffs argued that Norton Healthcare did not have reasonable security measures in place to prevent, detect, or stop the ransomware attack. They further claimed that victims suffered identity theft, fraudulent charges, anxiety, emotional distress, and significant time spent dealing with the fallout. As a result, the settlement fund aims to provide meaningful compensation for these widespread harms.
How Much Can Class Members Claim?
Compensation Breakdown
The $11 million settlement fund covers several categories of compensation. Notably, class members can access the following benefits:
Out-of-Pocket Expense Reimbursement — First and foremost, class members can claim up to $2,500 for documented, unreimbursed expenses directly traceable to the breach. These expenses include bank fees, communication charges, travel expenses, credit-related costs, and fraudulent charges.
Lost Time Compensation — Additionally, members may claim $20 per hour for up to four hours, totaling a maximum of $80, for time spent addressing breach-related issues such as acquiring credit freezes, remedying fraud, or monitoring bank accounts.
Pro-Rata Cash Payment — Furthermore, all class members are eligible for a cash payment of at least $5, distributed from funds remaining after all other claims and fees are settled.
Medical Monitoring Services — Finally, every class member may receive three free years of CyEx Medical Shield Pro enrollment through the settlement administrator.
Attorney Fees and Service Awards
In terms of legal costs, class counsel is set to receive up to one-third of the settlement fund, approximately $3.6 million, in attorney’s fees. Meanwhile, several class representatives will each receive $3,500 service awards
How to File a Settlement Claim
Online Submission
To begin the claims process, class members can submit a claim online by visiting the official settlement website. From there, claimants simply enter the Class Member ID found on the settlement notice they received.
Mail Submission
Alternatively, claimants can download a PDF claim form, complete it, and mail it to the settlement administrator at:
Berthold v. Norton Healthcare c/o Kroll Settlement Administration LLC P.O. Box 5324, New York, NY 10150-5324
In addition, class members with questions can call 833-319-9294 or email the settlement administrator directly for further assistance.
Key Deadlines to Remember
Critical Dates
Given the tight timeline, class members should note the following key dates carefully:
- April 20, 2026 — This is the final deadline to opt out of or formally object to the settlement.
- May 15, 2026 — A Jefferson Circuit Court judge in Kentucky will hold the final approval hearing on this date.
- May 18, 2026 — Most importantly, all claim forms must be submitted online or postmarked by this date without exception.
It is worth noting that compensation will only begin distributing after final court approval is granted and any appeals are fully resolved.
What This Means for Healthcare Data Security
A Broader Warning for the Industry
Beyond this specific case, the Norton Healthcare lawsuit highlights a growing threat across the entire healthcare sector. Indeed, ransomware groups increasingly target hospitals and health systems because they store vast amounts of highly sensitive data. Moreover, many organizations still lack the cybersecurity infrastructure needed to defend against sophisticated, well-funded attack groups like BlackCat.
No Security Improvements Required
Notably, however, the settlement does not require Norton Healthcare to implement specific improvements to its security practices. This distinction sets the case apart from some other recent healthcare data breach settlements. As a result, critics argue this represents a missed opportunity to drive stronger, enforceable protections for patients going forward.
Why This Case Matters
Overall, healthcare data breaches carry long-term consequences that extend far beyond the initial incident. Unlike a compromised password, stolen Social Security numbers, birth dates, and medical records simply cannot be changed or reset. Therefore, victims face a lifetime risk of identity theft and fraud. In conclusion, this settlement serves as a stark reminder that healthcare organizations must treat data protection not as a compliance checkbox, but as a core operational responsibility.
