Norton Healthcare has agreed to pay $11 million to settle a class action lawsuit stemming from a May 2023 ransomware attack that exposed the personal and medical data of approximately 2.5 million patients and employees. If you were notified that your information was compromised in this breach, you could receive up to $80 in cash for time spent dealing with the fallout, up to $2,500 for documented out-of-pocket expenses, and three years of medical identity monitoring services. The deadline to file a claim is May 18, 2026, through the official settlement website at nortondataincidentsettlement.com. The breach ranks among the largest healthcare data incidents in recent years, and the settlement — announced around February 25, 2026 — reflects the growing financial consequences hospitals and health systems face when they fail to keep patient data secure.
The ALPHV/BlackCat ransomware group, one of the most prolific cybercriminal operations in the world, claimed responsibility for the attack and leaked roughly 4.7 terabytes of stolen data on a dark web site. This article breaks down who qualifies, what the settlement actually pays, how to file a claim before the deadline, and what this case signals about healthcare cybersecurity accountability. The case, formally titled *Abby Berthold, et al. v. Norton Healthcare, Inc., et al.*, is worth paying attention to whether you are a directly affected patient or simply someone who wants to understand what recourse exists when a hospital system loses control of your most sensitive information.
Table of Contents
- What Happened in the Norton Healthcare Ransomware Attack That Affected 2.5 Million Patients?
- How Much Money Can You Actually Get from the Norton Healthcare Settlement?
- Who Is Behind ALPHV/BlackCat and Why Healthcare Systems Are Prime Targets
- How to File a Claim Before the May 18, 2026 Deadline
- Why $11 Million May Not Be Enough — and the Limits of Class Action Settlements for Data Breaches
- What to Do Right Now If Your Data Was Exposed in the Norton Healthcare Breach
- What the Norton Healthcare Case Means for Healthcare Data Security Going Forward
- Conclusion
What Happened in the Norton Healthcare Ransomware Attack That Affected 2.5 Million Patients?
Between May 7 and May 9, 2023, hackers affiliated with the ALPHV/BlackCat ransomware group gained unauthorized access to Norton Healthcare’s network storage devices. The attack culminated on May 9 when the ransomware was deployed, disrupting operations at one of Kentucky’s largest health systems. Norton Healthcare operates multiple hospitals and medical facilities across the Louisville metro area, meaning the blast radius of this breach stretched across a huge patient population spanning years of medical records. The compromised data was not limited to names and addresses. According to breach notifications and court filings, the stolen information included Social Security numbers, dates of birth, health insurance details, medical information, driver’s license and government ID numbers, financial account information, and general contact details. That is essentially the full identity theft starter kit.
The ALPHV/BlackCat group subsequently leaked approximately 4.7 terabytes of this data on a dark web leak site, making it available to essentially anyone willing to look for it. For context, 4.7 terabytes is roughly equivalent to the text content of several million books — an enormous volume of structured personal records. To put the severity in perspective, compare this to the typical retail data breach that might expose email addresses and passwords. A healthcare breach of this nature is qualitatively different. Medical records, Social Security numbers, and insurance information are far more valuable on criminal markets and far more difficult for victims to change or remediate. you can reset a password in minutes. You cannot change your Social Security number or medical history.
How Much Money Can You Actually Get from the Norton Healthcare Settlement?
The $11 million settlement fund sounds significant, but the per-person payouts require some realistic expectations. Class members can claim cash payments calculated at $20 per hour for up to four hours of time spent dealing with the breach — things like monitoring credit reports, placing fraud alerts, calling banks, or dealing with identity theft paperwork. That caps the time-based payment at $80 per person. If you incurred actual financial losses because of the breach, such as fraudulent charges, fees for credit freezes, or costs related to identity theft remediation, you can claim up to $2,500 in documented, unreimbursed out-of-pocket expenses. However, there is an important catch that applies to virtually every class action settlement of this type: if the total claims exceed the available fund, payments get reduced on a pro-rata basis. If every single one of the 2.5 million affected individuals filed a claim for the maximum amount, the math would not work — $80 times 2.5 million alone would be $200 million, far exceeding the $11 million fund.
In practice, class action claim rates are notoriously low, often in the single-digit percentages, which is why these settlements function at all. But the more people who file, the less each person receives. The settlement does guarantee a minimum pro-rata cash payment of at least $5 from remaining funds after other claims are paid. Additionally, all eligible class members can receive three years of complimentary medical identity monitoring services. This is particularly relevant for a healthcare breach because standard credit monitoring does not catch medical identity theft — someone using your insurance information to obtain prescriptions or medical care in your name. If you were affected by this breach, the monitoring benefit may be worth more in practical terms than the cash payment, especially if your Social Security number and insurance details were among the stolen data.
Who Is Behind ALPHV/BlackCat and Why Healthcare Systems Are Prime Targets
The ALPHV/BlackCat ransomware group that claimed responsibility for the Norton Healthcare attack is not some amateur operation. It has been one of the most active and technically sophisticated ransomware-as-a-service operations globally, responsible for attacks on dozens of major organizations across healthcare, financial services, and critical infrastructure. The group operates a model where affiliates carry out individual attacks using BlackCat’s ransomware tools and infrastructure, then split the ransom proceeds. The FBI and international law enforcement have taken multiple actions against ALPHV/BlackCat’s infrastructure, but the group has repeatedly reconstituted itself.
Healthcare systems are disproportionately targeted by ransomware groups for a simple reason: the data is extraordinarily valuable, and the operational pressure to restore systems quickly gives hospitals strong incentives to pay ransoms or settle lawsuits rather than fight prolonged battles. A hospital that cannot access patient records faces immediate patient safety risks, which creates urgency that a retailer losing access to its inventory system does not face. Norton Healthcare reportedly did not pay a ransom in this case, but the $11 million settlement — plus legal costs, remediation expenses, and reputational damage — illustrates that refusing to pay attackers does not eliminate the financial consequences. For patients, the lesson is that your medical provider holds some of the most sensitive data about you, and the healthcare industry’s cybersecurity posture has consistently lagged behind the threat level. The number of healthcare data breaches reported to the Department of Health and Human Services has climbed steadily, and breaches affecting more than one million individuals are no longer exceptional events.
How to File a Claim Before the May 18, 2026 Deadline
If you received a notification from Norton Healthcare about the breach, filing a claim is straightforward but time-sensitive. You can submit your claim online at nortondataincidentsettlement.com or mail a physical claim form postmarked by May 18, 2026, at 11:59 PM. The online process is typically faster and generates a confirmation, which is worth keeping for your records. When filing, you will need to decide which benefits to claim. For the time-based cash payment of up to $80, you will need to attest to the time you spent responding to the breach. For the higher reimbursement of up to $2,500, you will need documentation — receipts, bank statements, or records showing actual expenses you incurred because of the breach that were not reimbursed by any other source.
The tradeoff here is real: if you only spent a couple of hours dealing with the breach and have no documented losses, the honest claim is likely in the $40 to $80 range plus the monitoring benefit. Filing for out-of-pocket expenses without documentation will not survive the claims review process and could delay or reduce your overall payment. There are two other deadlines to note. If you want to object to the settlement terms — perhaps you believe the total amount is inadequate given the severity of the breach — you must do so by April 20, 2026. The same deadline applies if you want to opt out of the settlement entirely, which preserves your right to sue Norton Healthcare independently but forfeits any payment from this settlement. The final fairness hearing, where the court will decide whether to approve the settlement, is scheduled for May 15, 2026.
Why $11 Million May Not Be Enough — and the Limits of Class Action Settlements for Data Breaches
An $11 million settlement for a breach affecting 2.5 million people works out to roughly $4.40 per affected individual if the money were divided equally — less than the cost of a cup of coffee. Even with low claim rates boosting individual payouts, the fundamental criticism of data breach class actions remains: the settlements are too small relative to the actual harm. Identity theft and medical fraud can follow victims for years, requiring ongoing vigilance, credit monitoring, and in severe cases, legal assistance to untangle fraudulent accounts or medical records. The settlement caps reimbursement at $2,500, but serious identity theft cases can cost victims far more than that in time and money. There is also a structural limitation worth understanding. Class action attorneys in these cases typically receive a significant portion of the settlement fund — often 25 to 33 percent — as fees.
While this is standard practice and approved by the court, it means the $11 million is not entirely flowing to affected patients. The final fee award will be determined at the May 15 fairness hearing, but claimants should understand that the net amount available for distribution will be smaller than the headline figure. None of this means you should skip filing a claim. The money is there, and failing to file means you get nothing while the settlement still goes through. But it is worth being clear-eyed that these settlements function more as a financial inconvenience for the breached company than as full compensation for the affected individuals. The real deterrent value, if any, comes from the legal costs, public scrutiny, and operational changes companies are forced to make as part of settlements.
What to Do Right Now If Your Data Was Exposed in the Norton Healthcare Breach
Beyond filing your claim, there are concrete steps you should take immediately if you have not already. Place a fraud alert or credit freeze with all three major credit bureaus — Equifax, Experian, and TransUnion. A credit freeze is stronger than an alert because it prevents new accounts from being opened in your name without your explicit authorization. Review your medical insurance explanation of benefits statements carefully for any services you did not receive, which could indicate medical identity theft.
If you find discrepancies, report them to your insurer and request a copy of your medical records to check for entries that do not belong to you. Consider filing an identity theft report with the Federal Trade Commission at IdentityTheft.gov if you have evidence that your stolen information has been misused. This creates an official record that can help you dispute fraudulent accounts or charges. Given that 4.7 terabytes of data were leaked publicly, the risk of misuse is not theoretical — it is ongoing.
What the Norton Healthcare Case Means for Healthcare Data Security Going Forward
The Norton Healthcare settlement arrives at a time when pressure is mounting on the healthcare industry from multiple directions. Federal regulators have proposed updates to the HIPAA Security Rule that would impose more specific cybersecurity requirements on healthcare organizations, including mandatory encryption, multi-factor authentication, and more rigorous risk assessments. Several states have also moved to strengthen their own data breach notification and penalty frameworks.
The pattern is clear: the regulatory environment is tightening, and settlements like this one reinforce the financial argument for investing in cybersecurity before a breach rather than paying for it afterward. For patients, the broader takeaway is that healthcare data breaches are not slowing down, and the compensation available through class action settlements will rarely make victims whole. The most effective protection remains personal vigilance — freezing credit, monitoring insurance statements, and treating every breach notification as a serious event requiring immediate action rather than another piece of junk mail to ignore.
Conclusion
Norton Healthcare’s $11 million settlement resolves the legal claims from a devastating 2023 ransomware attack by the ALPHV/BlackCat group that exposed names, Social Security numbers, medical records, and financial information belonging to 2.5 million patients and employees. Eligible class members can claim up to $80 for time spent dealing with the breach, up to $2,500 for documented expenses, and three years of medical identity monitoring. The deadline to file is May 18, 2026, at nortondataincidentsettlement.com.
If you were affected, do not leave money on the table — file your claim before the deadline, and take the additional protective steps of freezing your credit and monitoring your insurance statements for signs of fraud. The settlement is imperfect, as all class action settlements for data breaches tend to be, but it is the available remedy. Use it, and stay alert.