Kalispell Regional Healthcare based in Montana has offered a $4.2 million settlement deal to take care of a lawsuit filed on behalf of victims associated with a data breach that was reported in October 2019.
The lawsuit was filed soon after the report that the protected health information (PHI) of roughly 130,000 patients was impermissibly disclosed due to a sophisticated phishing attack. Unauthorized people got access to a few email accounts after staff members clicked links in phishing emails and gave away their login credentials. The attackers first obtained access to the email accounts on May 24, 2019 and had access to the email accounts for a couple of months. The compromised email accounts held PHI including names, telephone numbers, addresses, birth dates, Social Security numbers, medical record numbers, health insurance data and medical histories. The hackers stole about 250 Social Security numbers.
The legal case alleged that Kalispell Regional Healthcare didn’t employ proper measures to protect the privacy of patient information, had not trained its employees on proper security awareness, and was not effectively checking potential compromises. If it did, it would have been possible to detect the breach far more easily. The lawsuit additionally claimed Kalispell Regional Healthcare did not give breach victims timely notifications, did not stick to industry-recognized specifications and cybersecurity best practices and broke the Montana Uniform Health Care Information Act.
Prior to the data breach, Kalispell Regional Healthcare stated it had put in place a variety of cybersecurity measures to keep the privacy and confidentiality of patients’ PHI. At the time of the breach, a top cybersecurity consulting company affirmed that Kalispell Regional Healthcare was in the top 9% of healthcare providers for cybersecurity compliance, yet the measures implemented were still not enough to stop the breach.
Kalispell Regional Healthcare decided to settle the lawsuit to end the lawsuit and avoid continuing legal expenses. The organization didn’t admit doing any wrong or have any liability for the security breach.
Under the terms of the settlement, Kalispell Regional Healthcare will provide a $4.2 million fund to cover different forms of relief for affected individuals, including repayment for out-of-pocket costs, payment for time spent taking care of identity restoration services and credit-monitoring services, no-cost membership to Experian credit monitoring services for three years, and free identity theft restoration services for five years. Plaintiffs can claim as much as $15,000 for out-of-pocket expenditures and up to $75 payment for time expended in response to the breach.
The offered settlement is due for approval by the Eighth Judicial District Court Judge Elizabeth Best. The approval hearing will be on January 5, 2021. In case the settlement is okayed, plaintiffs will have until February 25, 2021 to send their claims.