HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Second Lawsuit Filed Against Kalispell Regional Healthcare Over Phishing Attack

A second lawsuit has been filed against Kalispell Regional Healthcare in Montana over a May 2019 phishing attack that saw the email accounts of some of its employees accessed by cybercriminals.

Kalispell Regional Healthcare learned about the breach on August 28, 2019. The investigation revealed the hackers gained access to employee email accounts on May 24, 2019 and potentially accessed patient information. A forensic investigation revealed the accounts contained the protected health information of as many as 140,209 patients.

According to Kalispell Regional Healthcare’s substitute breach notification on its website, the following information was compromised in the breach: Names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance information, treating and referring physicians’ names, and medical bill account numbers. Kalispell Regional Healthcare said 250 or fewer patients had their Social Security number exposed. Patients affected by the breach were offered complimentary credit monitoring and identity theft protection services and steps have been taken to improve email security.

The first lawsuit was filed on November 25, 2019 in the Cascade County District Court in Great Falls, MT by attorney John Heenan on behalf of William Henderson, whose personal information was exposed in the breach. The lawsuit alleges the healthcare provider was negligent for failing to take appropriate steps to secure patient data and that industry best practices for securing patient data were not followed. Henderson claims he faces an increased risk of identity theft and fraud as a result of the breach, but it does not appear that his personal information has been misused at the time that the lawsuit was filed. The lawsuit alleges violations of the Montana Uniform Health Care Information Act.

The second lawsuit was filed on December 24, 2019 by attorney William Rossbach on behalf of two patients who were impacted by the breach. The lawsuit also claims Kalispell Regional Healthcare violated the Montana Uniform Health Care Information Act. One of the patients, Annette Nevidomsky, claims she was a victim of fraud and had unauthorized charges on her accounts in the wake of the breach.

Both attorneys are seeking class action status for their lawsuits.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.