Norton Healthcare agrees to $11M settlement

The settlement follows a ransomware attack attributed to the threat group BlackCat.

What happened

Norton Healthcare, a non-profit healthcare system, recently agreed to pay $11 million dollars to settle a class action lawsuit, as noted in the Settlement Agreement. The settlement follows a 2023 ransomware attack conducted by BlackCat (also known as Alphv). The breach led to data exposure for approximately 2.5 million individuals.

The backstory

Norton Healthcare, which operates nine hospitals and 480 other care facilities in Kentucky and Indiana, first notified individuals of the breach on December 8th, 2023. The initial notice said Norton discovered the breach on May 9th, 2023 and determined that an unauthorized group accessed “certain network storage devices.”

Norton ultimately determined the incident was a ransomware attack, but the practice said they did not pay a ransom and instead notified the FBI.

Involved information varied by person, but may have included names, contact information, Social Security numbers, dates of birth, health information, insurance information, and medical identification numbers. In some cases, identification information (like driver’s license numbers), financial information, and digital signatures were also part of the breach.

Going deeper

The attack was claimed by BlackCat, a notorious ransomware group that has attacked other prominent organizations, and was responsible for the Change Healthcare breach. BlackCat first surfaced in late 2021, but has since attacked numerous organizations, often targeting healthcare. The Canadian Government, which has similarly been victimized by the group, noted the organization is Russian-speaking and appears to attack based on opportunity. The threat group offers Ransomware as a Service (RaaS), meaning they allow less tech-savvy attackers to use their ransomware in exchange for a percentage of their earnings. Although the group is believed to be based in Russia, the organization has spread around the world. In late 2025, two Americans pled guilty to using the ransomware service to attack other American companies.

In the know

Norton Healthcare’s settlement is one of the largest this year, falling behind NextGen Healthcare’s settlement of $19.4 million and expected settlements from Yale New Haven Health System (estimated to be $18 million) and McLaren Health (estimated to be $14 million). Paubox has steadily seen an increase in the cost of a data breach, which now average about $11 million per breach, including the costs associated with class action suits, penalties, and operational disruptions. Norton Healthcare has experienced some of these hidden costs firsthand; the system had to cancel numerous appointments, surgeries, and other procedures for several weeks as they worked to secure their system.

The big picture

CISA regularly releases alerts about new ransomware groups, critical vulnerabilities, and ongoing threats, making awareness a critical component of preventing attacks.

Preventing attacks also involves training employees and using the right tools. Paubox constantly monitors the newest attack strategies, ensuring our email security is staying up to date against evolving trends. That’s why none of our clients have ever had a breach while using Paubox.

FAQs

What determines the settlement amount?

A settlement agreement depends a lot on the specifics of the case and how the negotiation process goes. Generally, the final number reached will depend on the total victim count, how negligent the Plaintiff was, and if the incident resulted in real harm to the victims. Other factors, like how quickly victims were notified, may also impact the agreement.

Does every class action lawsuit result in a settlement?

It’s common for data breach lawsuits to result in a settlement because, generally, the suits make fairly strong cases about how the breach could have been prevented. However, it’s always possible for healthcare organizations to fight these lawsuits in court.