Kalispell Regional Healthcare in Montana had a security breach last summer and is informing around 129,000 patients about the potential compromise of their protected health information (PHI).
Kalispell Regional Healthcare manages Kalispell Regional Medical Center, which is a hospital in Kalispell, MT with 138 beds. The breach has impacted the majority of its patients.
The breach impacted the email system of Kalispell Regional. It happened because several employees were misled by a “highly sophisticated” phishing email. Employees that responded to the phishing email unintentionally revealed their login details to the attacker who obtained remote access to their email accounts using the information. Kalispell Regional became aware of the incident on August 28.
When the breach was discovered, Kalispell Regional disabled all affected email accounts to block the attacker from further unauthorized access, reported the security breach to law enforcement, and initiated an internal investigation to figure out the magnitude of the breach. According to the investigation findings, the breach took place on May 24, 2019. There was potential exposure of patients’ PHI since the messages and email attachments in the compromised email accounts contained PHI.
The data potentially compromised differed from one patient to another and might have included names, email addresses, addresses, phone numbers, dates of service, treatment data, medical insurance details, medical bill account numbers, treating and referring doctors’ names. The Social Security numbers of about 250 patients may also have been exposed.
Though it’s very likely that unauthorized PHI access occurred, no evidence was found that suggests the misuse of any patient information. But as a precaution, the affected people were given free one-year membership with Kroll for credit monitoring and identity theft protection services, irrespective of the types of data exposed.
The investigators spent several weeks to find out which patients were impacted by the breach and which types of data were exposed. This caused the delay in sending breach notification letters. The investigation of the breach just ended last week.
Prior to the breach, Kalispell Regional had already employed a variety of cybersecurity measures and even hired a third-party company to perform yearly risk assessments to proactively determine vulnerabilities and enhance its security position. However, the implemented measures were not enough to prohibit the phishing attack. Kalispell Regional is going to evaluate its security measures and improve them to better secure patient records against phishing attacks.