Healthcare Organizations Face Legal and Notification Fallout From Ransomware-Linked Data Theft
Norton Healthcare agreed to pay $11 million to settle a class-action lawsuit tied to a 2023 ALPHV/BlackCat ransomware-related data theft that reportedly involved 4.7 TB of stolen data and impacted nearly 2.5 million people. The preliminary settlement provides for reimbursement claims (up to $2,500 for unreimbursed expenses), compensation for time spent responding to the incident (up to $80), and three years of medical identity monitoring, pending final court approval.
Separately, Ohio-based Kettering Health began notifying current and former patients and affiliates about a May 2025 ransomware and data theft incident claimed by the Interlock cybercrime group. Reporting indicates Interlock publicly listed Kettering Health on its leak site and claimed roughly 941–950 GB of data, and Kettering previously warned patients about scam calls from fraudsters impersonating medical bill collectors seeking credit card payments—activity consistent with post-breach social engineering and fraud attempts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
9 events from the most recent confirmed update back to the earliest known activity.
Final approval hearing set for Norton settlement
A final court approval hearing for Norton Healthcare's preliminary $11 million settlement was scheduled for May 15 in Kentucky state court. The settlement reportedly does not require Norton to implement specific security improvements.
Norton Healthcare agrees to $11 million breach settlement
Norton Healthcare agreed to pay $11 million to settle a class action lawsuit over the 2023 BlackCat-related data theft. The preliminary settlement includes reimbursement for certain losses, compensation for time spent responding, and three years of medical identity monitoring, while Norton denied wrongdoing.
Kettering Health begins notifying patients and affiliates
By February 2026, Kettering Health was notifying an unspecified number of current and former patients and affiliates about the 2025 Interlock-linked breach. The organization said it worked with federal law enforcement and was reviewing its cybersecurity policies and practices.
Kettering Health reports breach to federal regulators
In July 2025, Kettering Health reported the incident to federal regulators as a hacking breach affecting 501 individuals, using that figure as a placeholder. The organization did not provide an updated total in the referenced reporting.
Interlock lists Kettering Health on leak site
In June 2025, the Interlock group publicly listed Kettering Health on its leak site and claimed to have stolen roughly 941 GB of data. As of February 2026, the leak site still listed Kettering with about 950 GB allegedly available.
Kettering Health intrusion continues through May 20
Kettering Health said unauthorized access to its environment lasted until May 20, 2025. The incident disrupted its IT environment for weeks, affecting patient care, canceling elective procedures, and causing emergency room diversions.
Unauthorized access begins in Kettering Health environment
Kettering Health said unauthorized actors first accessed its environment on April 9, 2025, in an intrusion later tied to the Interlock cybercrime group. The attackers potentially viewed and acquired files containing personal, health, and financial data.
BlackCat data theft at Norton affects nearly 2.5 million people
The May 2023 Norton Healthcare incident was attributed to the ALPHV/BlackCat ransomware group and ultimately affected nearly 2.5 million people. BlackCat claimed to have stolen about 4.7 TB of data, including sensitive personal, health, insurance, and financial information.
Attackers access Norton Healthcare network storage devices
Norton Healthcare said attackers accessed certain network storage devices between May 7 and May 9, 2023, in a ransomware-related data theft incident later attributed to ALPHV/BlackCat. Norton said its medical record system and MyChart portal were not accessed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Norton Healthcare to Pay $11M to Settle BlackCat Lawsuit
bankinfosecurity.com
Open sourceNorton Healthcare to Pay $11M to Settle BlackCat Lawsuit
govinfosecurity.com
Open sourceKettering Health Notifying Patients of Interlock Breach
govinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Data Breach and Ransomware Incident Roundup
Several healthcare-related organizations disclosed **separate data breach incidents** involving ransomware, unauthorized network access, and third-party compromise. CommonSpirit Health said patient data was exposed through a downstream vendor chain after **Pinnacle Holdings Ltd** suffered a ransomware attack, with attackers present in the network from November 11 to November 25, 2024, and exfiltrating files before the incident was later relayed through **NorthGauge Healthcare Advisors**. Meadowlark Hills and MedPeds also disclosed breaches tied to the **Beast ransomware** group, while Tieu Dental reported unauthorized access to its network in July 2025 that exposed patient information including Social Security numbers, medical and insurance data. These incidents led to regulatory notifications and offers of credit monitoring or identity theft protection for affected individuals. A separate legal development involved **Geisinger Health** and **Nuance Communications**, where a judge approved a **$5 million settlement** over claims tied to a former Nuance employee's theft of medical records affecting about 1.3 million patients. That matter differs from the ransomware and breach notifications because it concerns civil litigation over an earlier insider data theft rather than a newly disclosed intrusion. Overall, the reporting reflects ongoing exposure of protected health information across the healthcare sector through both direct attacks and third-party relationships, with delayed notification timelines and incomplete early visibility into the full scope of compromised data remaining recurring issues.
Apr 17, 2026
Healthcare Cyber Incidents: Kettering Health Ransomware Litigation, Insightin Health GoAnywhere Breach, and Polish Hospital Disruption
Multiple healthcare-sector cyber incidents were reported, including ongoing fallout from a major U.S. provider ransomware event. **Kettering Health** continues to face escalating legal exposure from a 2025 ransomware attack attributed to **Interlock**, which allegedly stole **941 GB** of data and encrypted systems; the disruption forced shutdown of roughly **600 applications**, a temporary shift to paper workflows, and delays to care while systems (including *Epic* EHR) were restored. Dozens of patient lawsuits have been filed and consolidated in Ohio, with claims focused not only on data theft but also alleged **delayed or denied medical care** during the outage. Separately, healthcare vendor **Insightin Health** disclosed a 2025 security incident involving its use of the *GoAnywhere* managed file transfer tool, reporting that an unauthorized party accessed GoAnywhere by exploiting an **“unknown design flaw”** and potentially accessed files on a subset of servers between **Sept 17–23, 2025**; impacted data may have included names, provider names, insurance information, and member IDs (no SSNs or financial data reported). In Europe, the Independent Public Regional Hospital in **Szczecin, Poland** reported a March 2026 cyberattack that **encrypted parts of hospital data**, disrupted digital operations, and forced a temporary return to paper-based processes, while the hospital stated urgent care continued despite slower administration.
Mar 21, 2026
Healthcare Provider Data Breaches and Ransomware-Linked Patient Data Exposure
Multiple U.S. healthcare organizations reported **unauthorized network access and patient data exposure**, with several incidents involving confirmed **data exfiltration** and follow-on notification/credit-monitoring actions. **QualDerm Partners** disclosed unauthorized access between **Dec. 23–24, 2025** with files exfiltrated and notifications being sent on a rolling basis, while **Carolina Foot & Ankle Associates** reported a **Dec. 2025** intrusion detected after a network disruption and confirmed exfiltration of files containing PHI (e.g., demographics, MRNs, insurance data, and treatment/billing codes). Additional breach disclosures included **Cedar Point Health** (intrusion detected around **June 16, 2025**, with a months-long data review concluding in late Jan. 2026 and impacted data potentially including SSNs/ITINs and government IDs) alongside separate notifications from **Wee Care Pediatrics** and **Easterseals Northeast Indiana**. Legal and regulatory consequences continued to surface from earlier healthcare incidents. **Asheville Eye Associates** agreed to settle consolidated class-action litigation tied to a **Nov. 2024** attack claimed by **DragonForce ransomware**, which allegedly exfiltrated **~540 GB** before encrypting systems and later leaked data when ransom was not paid; the breach was reported to HHS OCR as affecting **204,984** individuals. Sector-wide reporting also indicated **46** large healthcare breaches logged for **Jan. 2026** on the HHS OCR portal (500+ individuals), exposing **~1.44 million** individuals’ PHI, amid discussion that late-2025 reporting backlogs may have influenced recent month-to-month trends.
Mar 21, 2026