Kalispell Regional Healthcare Proposes 4.2 Million Settlement to Resolve Data Breach Lawsuit

The Montana-based healthcare provider Kalispell Regional Healthcare has proposed a $4.2 million settlement to resolve a lawsuit filed on behalf of victims of a data breach that was announced in October 2019.

The lawsuit was filed shortly after the announcement that the protected health information of approximately 130,000 patients had been impermissibly disclosed as a result of a sophisticated phishing attack. Unauthorized individuals had gained access to several email accounts after employees responded to phishing emails and disclosed their login credentials. The attackers first gained access to the email accounts on May 24, 2019 and were able to continue to access the accounts for several months. The compromised email accounts contained PHI such as names, addresses, telephone numbers, dates of birth, medical record numbers, medical histories, Social Security numbers, and health insurance information. Around 250 Social Security numbers are known to have been stolen by the attackers.

The lawsuit alleged Kalispell Regional Healthcare had failed to implement appropriate measures to ensure the privacy of patient data, had not provided adequate security awareness training to its employees, and was not adequately monitoring for potential compromises. If that were the case, the breach would have been detected far more rapidly. The lawsuit also alleged Kalispell Regional Healthcare had not provided breach victims with timely notifications, was not adhering to industry-recognized standards and cybersecurity best practices and was in violation of the Montana Uniform Health Care Information Act.

Prior to the data breach, Kalispell Regional Healthcare said it had implemented a range of cybersecurity measures to keep the PHI of patients private and confidential. At the time of the breach, a leading cybersecurity consulting firm confirmed that Kalispell Regional Healthcare ranked in the top 9% of healthcare organizations for cybersecurity compliance, yet the measures put in place were still not sufficient to prevent the breach.

The decision to settle the lawsuit was made to bring the lawsuit to a close and prevent ongoing legal costs. Kalispell Regional Healthcare has denied any wrongdoing and has not admitted liability for the breach.

Under the terms of the settlement, a $4.2 million fund will be made available to cover various forms of relief for breach victims, including reimbursement for out-of-pocket expenses, reimbursement for time spent arranging identification restoration services and credit-monitoring services, a three year complimentary membership to Experian credit monitoring services, and five years of free identity theft restoration services. Plaintiffs are entitled to claim up to $15,000 for out-of-pocket expenses and up to $75 reimbursement for time spent in response to the breach.

The settlement must now go before Eighth Judicial District Court Judge Elizabeth Best to be approved. The final approval hearing is scheduled for January 5, 2021. If the settlement is approved, plaintiffs will have until February 25, 2021 to submit their claims.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.