Share this article on:
Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients.
The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed.
The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised.
All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised.
One of the patients whose personal and health information was compromised, William Henderson, has now taken legal action over the data breach. The lawsuit was filed in Cascade County District Court in Great Falls, MT on November 25 by attorney John Heenan. Heenan is seeking class action status for the lawsuit.
The lawsuit alleges Kalispell Regional Healthcare failed to take the necessary steps to keep patients’ personal and health information private and confidential, it did not abide by best practices and industry standards for securing patient data, and that the health system failed to notify patients about the breach in a timely manner. As a result of the alleged failures, it the lawsuit alleges patients have been placed at risk of identity theft and fraud.
It does not appear that Henderson’s personal and health information has been misused at the time the lawsuit was filed; however, he claims that he is at risk of identity theft and fraud, which could occur at any time now that his information is in the hands of hackers.
Patients cannot sue healthcare providers for damages under HIPAA as there is no private cause of action, but it is possible to take legal action in many states over healthcare data breaches, as is the case in Montana.
The Montana Uniform Health Care Information Act allows victims of healthcare data breaches to sue healthcare providers for violations of the Act. The lawsuit alleges Kalispell Regional Healthcare is in violation of the Act.
After it was learned that patient information had potentially been compromised, the health system issued notifications to affected patients and reported the breach local media outlets. in the areas
Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, explained that “This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks.” She also explained that protecting the privacy of patients is a key priority for the health system and that email security solutions had been implemented prior to the attack to block spam and phishing emails. The security solutions were blocking around 50,000 inbound email threats each day. She also stated that CynergisTec had conducted an audit of the health system in 2018 and found it to be in the top 9% of healthcare industry organizations for cybersecurity compliance.
Since the attack, email security has been improved and the health system has increased training for employees to help them recognize phishing attacks and other email threats.