Attorney weighs in on Norton ransomware attack letter
LOUISVILLE, Ky. — Many Kentuckians recently got a letter in the mail from Norton Healthcare that said their personal information may have been stolen in a cyber attack.
It has been more than half a year since the Louisville-based hospital system first reported what it at the time called a “cyber event.”
Attorney John Yanchunis, who leads Morgan & Morgan’s consumer class action practice, said waiting that long to inform patients about the breach is a “real problem.”
“Obviously, a company following a breach will investigate,” Yanchunis said. “By law, most states require notification to the consumer within 30 days. There will be probably repercussions to the entity for having delayed. The problem with that is that consumers not having received timely notice aren’t put on notice that they need to protect themselves.”
According to Norton Healthcare, the letter was sent to around 2.5 million people. The letter said an unauthorized individual got access to the company’s network storage devices between May 7-9.
It said information obtained in the breach could include a patient’s name, birth date, social security number, driver’s license number, contact information, health records, financial account numbers and even digital signatures, along with other personal and identifying information.
At the time of the hacking, Norton had to take its network offline, as it received a fax with threats and demands. The company worked with forensic investigators. The letter said the breach took time to analyze.
In the letter, Norton offers two years of credit monitoring for patients who may have been affected through Kroll. The company provides credit monitoring services; however,