HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Logan Health Facing Class Action Lawsuit Over Data Breach

Legal action is being taken against Logan Health and subsidiary, sister, and related entities over a data breach that occurred in 2021 and affected 213,543 Logan Health Medical Center patients.

The class action lawsuit was filed in the U.S. District Court for the District of Montana Great Falls Division by law firm Heenan & Cook on behalf of plaintiff Allison Smeltz and all similarly affected individuals over the alleged failure of the health system to protect the plaintiff’s and class members’ sensitive personal information.

The data breach in question was reported by Logan Health in February 2022, with its investigation confirming unauthorized individuals had access to its system between November 18, 2021, and November 22, 2021. Hackers gained access to a single file server housing files that contained patients’ protected health information such as names, contact information, insurance claim information, date(s) of service, medical bill account number, and health insurance informa­tion. Logan Health said it had found no evidence of misuse of patient data, offered affected individuals complimentary credit monitoring and identity protection services, and said it is implementing additional measures to prevent similar data breaches.

According to the lawsuit, the cyberattack and data breach were due to the failure of Logan Health to “implement adequate and reasonable training of employees and/or procedures and protocols,” and claims Logan Health and the other defendants should have been aware of the value of protected health information to hackers and the risk of data breaches, given the number of breaches now being reported and the warnings from Federal agencies to the healthcare industry.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit points out that data breach was one of several to have affected Logan Health. Logan Health reported another breach in January 2021 that affected 2,081 Montanans, and another in 2019 that affected 126.805 Montanans when Logan Health was operating as Kalispell Regional Healthcare.

The lawsuit claims that as a direct result of the failure to prevent the data breach, victims have suffered and will continue to suffer damages, including the compromise, publication, theft and/or unauthorized use of their PII/PHI, out-of-pocket costs from the prevention, detection, recovery, and remediation from identity theft or fraud, lost opportunity costs and lost wages, and the continued risk to their PII/PHI from the failure of Logan Health to implement appropriate safeguards to protect against data breaches.

The lawsuit cites several causes of action, including negligence, invasion of privacy, breach of implied contract, unjust enrichment, and violations of the Montana Consumer Protection Act, and alleges Logan Health had failed to comply with the requirements of the Health Insurance Portability and Accountability Act (HIPAA).

The lawsuit seeks class action status, a jury trial, injunctive relief, compensatory, statutory, and punitive damages, and attorneys’ fees.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.