LOUISVILLE, Ky. (WDRB) -- A second class action lawsuit has been filed against Louisville-based Norton Healthcare over a ransomware attack that exposed data of thousands of patients and employees. 

The suit was filed Dec. 14 on behalf of Margaret Garrett of Crestwood and others nationwide who are or were patients or were affiliated with Norton. The lawsuit is asking for a jury trial. 

The suit claims that Norton violated HIPAA Privacy and Security Rules by failing to keep its promise to keep personal information and private health information confidential. It also criticizes the healthcare company for not having strong enough security to protect sensitive files and not disclosing what was compromised in the hack. 

Norton has not confirmed what information may have been compromised, but the breach may have impacted names, contact information. Social Security numbers, birthdates, health and insurance information, drivers license numbers, financial accounts and digital signatures. 

The new class action lawsuit said that selling information can fetch up to $1,300 on the black market for each person. 

Norton initially called the hack a "cyber attack," when it was made public in May 2023. In December, it referred to the hack as a "ransomware attack." 

Norton spokeswoman Renee Murphy released a statement following the latest lawsuit filing. 

"We take safeguarding personal information seriously and plan to vigorously defend ourselves in any litigation associated with the ransomware attack from earlier this year," Murphy said. 

Last week, Murphy declined to say how the incident was resolved, only saying "we did not make any ransom payment." She hasn't responded to WDRB when asked if the stolen information was returned as a result of an insurance claim.

The attack does not just affect people in Kentucky and Indiana. Norton filed a data breach notification in Maine where just under 400 residents were impacted. That filing also said the attack wasn't just one day. Norton said the data breath happened May 7 and wasn't discovered until May 9. 

Norton Healthcare said about 2.5 million people will receive letters in the mail informing them they were possibly affected by a ransomware attack in May that exposed a wide array of sensitive information. Each are being offered two years of credit monitoring. 

The lawsuit also claims Norton patients and employees with health information sold or posted in a public forum could be vulnerable to extortion from criminals -- especially those with sexually transmitted diseases or terminal illnesses. 

Norton serves about 600,000 patients a year with nearly $5 billion in assets. 

The first federal class action lawsuit was filed July 21 against Norton Healthcare. Despite having knowledge of the May 9 incident, the lawsuit accuses the network of failing to notify the people affected or the state attorneys general offices in the affected areas. 

Norton, one of the three large health care providers in Louisville, has been tight-lipped since the incident occurred. It did say its MyChart system was not part of the hack.

Moving forward, Norton said it was working with external cybersecurity experts and federal law enforcement to "terminate the unauthorized access" and is "further enhancing its security safeguards."

A hacker group called BlackCat claimed responsibility for the attack and leaked files as proof. 

Related Stories:

Copyright 2023 WDRB Media. All Rights Reserved.