Norton Healthcare Waited 7 Months to Notify Patients of Data Breach: Suit
The seven months Norton Healthcare waited between learning of a May 9 data breach in its servers and its Dec. 8 notification to affected patients deprived plaintiff Logan Aldridge and class members of the ability to “promptly mitigate potential adverse consequences” resulting from it, alleged Aldridge's class action Friday (docket 3:24-cv-00025) in U.S. District Court for Kentucky in Louisville.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
As a result of Norton’s delay in detecting the breach and notifying customers about it, the risk of fraud for Aldridge, a Hart County, Kentucky, resident, and class members “has been driven even higher,” the complaint said.
Upon information and belief, Norton was “on notice of the high potentiality for this exact sort of data security incident” but still held patients’ private information “in a negligent manner” on computer systems and networks vulnerable to cyberattack, said the complaint. Norton’s data security obligations were “particularly important given the substantial increase in cyberattacks and/or data breaches in the healthcare industry preceding the date of the breach,” it said.
Aldridge received a letter from Norton dated Dec. 8, notifying him the company’s network had been accessed and his private information was involved in the breach, the complaint said. Among the information Aldridge was required to provide Norton were his Social Security number, medical history, insurance information and coverage, medical providers and photo identification, said the complaint.
Norton’s privacy policy says it can share patient information for various purposes without written authorization -- for treatment, billing and to run the organization -- and it “promises it is ‘committed to protecting patients’ personal medical information,’” said the complaint. None of the reasons includes “disclosing the sensitive Private Information to unauthorized cyber-criminals,” the complaint said. The letter notifying Aldridge of the May 9 ransomware attack admits patients’ private information was accessed without authorization, the complaint said.
Since notification of the breach, Aldridge heeded Norton’s warning and “spent time dealing with the consequences” of the incident including verifying the legitimacy of the breach notice and “self-monitoring his accounts and credit reports to ensure no fraudulent activity has occurred,” the complaint said. In the notice, Norton advised Aldridge to mitigate his damages by “remain[ing] vigilant for incidents of fraud and identity theft by reviewing credit card account statements and monitoring your credit report for unauthorized activity,” the complaint said.
Aldridge has suffered injury in the form of damages to and diminution in the value of his private information, and he lost his benefit of the bargain by paying for medical services that failed to provide the data security he was promised, the complaint said. He also lost “time, annoyance, interference, and inconvenience as a result of the Data Breach and has anxiety and increased concerns about the loss of his privacy,” the complaint said. He has suffered imminent and impending injury arising from the present and ongoing risk of fraud, identity theft and misuse of his private information, it said.
Theft of personal health information is “gravely serious,” said the complaint, citing a 2015 Network World article. A “thief may use your name or health insurance numbers to see a doctor, get prescription drugs, file claims with your insurance provider, or get other care,” the article said. “If the thief’s health information is mixed with yours, your treatment, insurance and payment records, and credit report may be affected.”
To date, Norton “has done little” to provide Aldridge and class members with relief for damages they have suffered, offering only 12 months of “inadequate identity monitoring services through TransUnion” despite his and class members’ “being at risk of identity theft and fraud for the foreseeable future,” the complaint said.
Aldridge asserts claims of negligence, breach of fiduciary duty, unjust enrichment, breach of implied and express contract and violations of the Kentucky Consumer Protection Act, the complaint said. Kentucky law should apply to Aldridge and all class members, said the complaint, noting Norton’s headquarters are in Louisville. The company’s breaches of duty to Aldridge and class members “emanated from Kentucky,” it said.
The plaintiff seeks orders requiring Norton to encrypt all data collected through the course of business in accordance with regulations and to implement a comprehensive information security program. He seeks awards of actual, consequential and nominal damages; attorneys’ fees and costs; and prejudgment interest. Norton didn't comment Tuesday.