140,209 Patients Notified of Kalispell Regional Healthcare Phishing Attack

Kalispell Regional Healthcare in Montana is in the process of notifying approximately 140,000 patients that some of their protected health information (PHI) was potentially compromised in a security breach over the summer.

Kalispell Regional Healthcare operates Kalispell Regional Medical Center, a 138-bed hospital in Kalispell, MT. The breach has affected most of its patients.

The breach affected Kalispell Regional’s email system and was the result of multiple employees being fooled by a “highly sophisticated” phishing scam. Employees responding to the phishing email inadvertently disclosed their login credentials to the attacker who used the credentials to remotely access their email accounts. Kalispell Regional learned of the breach on August 28.

Upon discovery of the breach, all affected email accounts were disabled to prevent further unauthorized access, the security breach was reported to law enforcement, and an internal investigation was launched to determine the extent of the breach. The investigation revealed the email account was breached on May 24, 2019 and the compromised accounts contained messages and email attachments that included patients’ PHI.

The types of data exposed varied from patient to patient and may have included names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. 250 or fewer patients also had their Social Security number exposed.

Unauthorized PHI access was possible, but no evidence has been uncovered to suggest any patient information has been misused; however, out of an abundance of caution, affected individuals have been offered complimentary membership to credit monitoring and identity theft protection services with Kroll for 12 months, regardless of the types of information that were exposed.

It took several weeks to discover which patients had been affected and the types of information that had been exposed, hence the delay in issuing breach notification letters. The breach investigation concluded last week.

Kalispell Regional had implemented a range of cybersecurity measures prior to the breach and uses a third-party firm to conduct annual threat assessments to proactively identify vulnerabilities and improve its security posture. Those measures were insufficient to block the phishing attack in this instance. Kalispell Regional will continue to review its security measures and enhancements will be made to better protect patient data against phishing attacks.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights on October 22, 2019 indicates up to 140,209 patients were affected by the security breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.