Kalispell Regional Healthcare based in Montana is getting sued as a consequence of a phishing attack that made it possible for hackers to get access to the email accounts of employees that have the protected health information (PHI) of about 130,000 patients.
The patient data stored in the affected email accounts included names, contact information, medical bill account numbers, medical insurance information, and medical backgrounds. The Social Security numbers of about 250 people were similarly compromised.
The phishing attack transpired in May 2019, although it was not certain in the beginning which people, if any, were impacted. Forensic investigators just confirmed in August that patient data was likely exposed.
Kalispell Regional Healthcare sent notification letters to all impacted patients and offered one year of credit monitoring and identity theft protection services at no cost to individuals who had their Social Security numbers likely exposed.
One individual whose personal and medical data were exposed took legal action with respect to the security breach. On November 25, Attorney John Heenan submitted the case in Cascade County District Court in Great Falls, MT. Attorney Heenan is trying to get class-action status for the case.
The lawsuit states that Kalispell Regional Healthcare
- neglected to take the needed actions to protect the privacy and confidentiality of the personal and medical data of patients
- did not comply with the guidelines and industry specifications for safeguarding patient information
- was unable to inform patients concerning the breach immediately
Because of the supposed failures, the lawsuit states that patients were put in danger of identity theft and fraud.
It seems that Henderson’s personal and medical data was not inappropriately used when the legal case was submitted; nonetheless, he remarks that he is in danger of identity theft and fraud, which might take place anytime considering that hackers possess his data.
Under HIPAA, patients can’t take legal action against healthcare companies for damages since there’s no private cause of action. Nevertheless, patients could file suit in a lot of states, like in Montana, for issues concerning healthcare data breaches.
The Montana Uniform Health Care Information Act enables healthcare data breach victims to claim damages from healthcare companies for violations of the bill. The lawsuit states Kalispell Regional Healthcare committed a violation of the Act.
After knowing that patient data was potentially exposed, the health system mailed breach notification to the impacted patients and announced the breach via local media outlets.
Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, stated that this case didn’t only involve common hackers. They employed advanced techniques to conceal their tracks. She additionally said that patient privacy is a major concern of the health system and there were email security solutions enforced before the attack to deter spam and phishing email messages. The email security controls stop about 50,000 inbound email threats everyday. She likewise mentioned that CynergisTec performed a review of its system in 2018 and proclaimed it to be among the leading 9% of healthcare industry establishments known for cybersecurity compliance.
After the phishing attack, the provider updated its email security and provided security awareness HIPAA training for employees.