Norton Healthcare data breach and US State identity theft law

Kentucky-based healthcare provider Norton Healthcare has notified its customers of a ransomware attack compromising personal information about millions of people. After a long and complex investigation, the company now faces at least two class-action lawsuits. 

Norton has published a breach notice on its website and notified several state Attorneys General about the incident. But the breach occurred in May, so why did Norton wait nearly seven months to tell people about it? 

This article explains Norton’s cyber incident and considers the company’s position under the complex patchwork of identity theft and data breach notification laws across the US. 

What happened? 

According to a statement on Norton’s website, the company experienced “a cybersecurity incident, later determined to be a ransomware attack” between 7-9 May 2023 affecting around 2.5 million people. The company discovered the incident on 9 May. 

Norton says that the information compromised might vary from person to person, but includes: 

• Name 
• Contact information 
• Social Security Number 
• Date of birth 
• Health information 
• Insurance information 
• Medical identification numbers 

Norton reports that the attackers did not access Norton’s medical records systems. 

Cybercrime group ALPHV/BlackCat has claimed credit for the incident, claiming it stole almost five terabytes of data. 

The breach appears on the websites of several state Attorneys General to whom Norton reported it, including Maine and Texas, where 10,323 residents were reportedly affected. 

In its notification to the Maine Attorney General, Norton says it notified affected residents on 8 December – nearly seven months after discovering the breach. 

Class-action lawsuit 

Within weeks of revealing the data breach, Norton was already facing at least two class action lawsuits. 

The first case was brought by an ex-Norton employee who attributes suspicious banking transactions to the breach. 

The second case alleges that Norton failed to meet its obligations under the federal Health Insurance Portability and Accountability Act (HIPAA). 

Whether or not these cases succeed, they could cost Norton a lot of time, money, and stress. 

The company might also face enforcement under HIPAA, which allows the Office for Civil Rights (OCR) to impose civil penalties of up to nearly $69,000 per violation. 

US State Data Breach Notification Laws 

Every US state has its own rules for data breach notification. Some state laws exclude companies, like Norton, that are covered by HIPAA. Others don’t. While many breach notification laws look similar, there can be significant differences from state to state. 

Most breach notification laws require an organization to notify state residents, and often the state Attorney General, “without unreasonable delay” or “in the most expedient time possible”. Many states also set a deadline for notification (often 30 days). 

But there are good reasons why notification might take a long time. 

Why did Norton take seven months to notify people? 

Norton states that it took the following steps after discovering the breach: 

• Notifying federal law enforcement. 
• Immediately beginning an investigation, assisted by a “respected forensic security provider” 
• Starting work to stop the unauthorized access to personal information 

Under every state’s breach notification law, organizations can delay notification if requested by law enforcement to do so. 

Sticking with the Maine example, here’s what the law says: 

• Notification must be made “as expediently as possible and without unreasonable delay” and within 30 days of discovering the breach and identifying its scope. 
• However, the timing of the notification must be “consistent with the legitimate needs of law enforcement”. 

• Notification may also be delayed:  

• To take measures necessary to determine the scope of the security breach, and  
• Restore the reasonable integrity, security and confidentiality of the data in the system. 

Norton might have delayed notification due to any of the above reasons: For example, if the company was not sure whose personal information had been affected, did not yet know the scope of the breach, or had been instructed to delay notification by law enforcement. 

Preparing for breach notification 

Implementing strong security measures to keep cybercriminals out of your systems is essential. 

But there are no perfect security solutions. Many organizations will experience a data breach at some point, and it’s important to have a plan in place to ensure people are notified on time, and in the correct manner. 

If you operate in the US, your organization should have a working knowledge of the relevant breach notification laws, including: 

• Which laws apply in the states in which your company operates 
• How each law defines a “data breach” 
• How each law defines “personal information” 
• Under what circumstances you must notify individuals of a breach 
• Whether you also have to notify the state Attorney General or another authority 
• Whether you need to notify consumer reporting agencies under certain conditions 
• What notification methods are acceptable in each state
• The relevant notification deadlines and exceptions
• What form your breach notification must take in each state 

Privacy and security regulation is getting tougher across the US, and acting swiftly in the event of a data breach could help mitigate the damage to your organization and its customers.