LOUISVILLE, Ky. — Many Kentuckians recently got a letter in the mail from Norton Healthcare that said their personal information may have been stolen in a cyber attack.

What You Need To Know

  • Around 2.5 million people received a letter informing them their information may have been stolen in a ransomware attack on Norton Healthcare

  • The hospital system sent out the letter more than half a year after it discovered the attack

  • Norton said it took time to analyze the breach

  • A prominent attorney with Morgan & Morgan said waiting months to notify impacted patients is a problem because it leaves them at risk without notification that they need to protect themselves

It has been more than half a year since the Louisville-based hospital system first reported what it at the time called a “cyber event.”

Attorney John Yanchunis, who leads Morgan & Morgan’s consumer class action practice, said waiting that long to inform patients about the breach is a “real problem.”

“Obviously, a company following a breach will investigate," Yanchunis said. "By law, most states require notification to the consumer within 30 days. There will be probably repercussions to the entity for having delayed. The problem with that is that consumers not having received timely notice aren't put on notice that they need to protect themselves."

According to Norton Healthcare, the letter was sent to around 2.5 million people. The letter said an unauthorized individual got access to the company’s network storage devices between May 7-9.

It said information obtained in the breach could include a patient’s name, birth date, social security number, driver’s license number, contact information, health records, financial account numbers and even digital signatures, along with other personal and identifying information.

At the time of the hacking, Norton had to take its network offline, as it received a fax with threats and demands. The company worked with forensic investigators. The letter said the breach took time to analyze.

In the letter, Norton offers two years of credit monitoring for patients who may have been affected through Kroll. The company provides credit monitoring services; however, Kroll reported it was hacked in August.

The credit monitoring service Norton is providing won’t offer as much protections as some more robust measures, Yanchunis said. He recommends anyone impacted take a few steps, including locking their credit with all three credit bureaus, monitoring their financial accounts, filing a complaint with local law enforcement, the FBI and the Federal Trade Commission (FTC) and contacting the Internal Revenue Service (IRS) to get a pin that can be used in addition to a social security number to avoid someone else filing a false tax return.

Yanchunis said it’s also a good idea to purchase an identity theft protection plan. He added anyone who got the letter should sign up for the credit monitoring offered, as it’s a misconception that doing so would disqualify someone from joining a class action lawsuit down the road. That is not the case, he stressed. 

Breaches such as Norton’s do often result in class action lawsuits, Yanchunis said, which yield settlements for the affected group. He said if a class action suit does come from this case, patients would not need proof that stolen information has already impacted their credit because they’re now facing a lifelong risk of that.