Montana-based Kalispell Regional Healthcare is being sued because of a phishing attack that allowed hackers to gain access to employee email accounts that contain the protected health information (PHI) of roughly 130,000 patients.
The patient information contained in the compromised email accounts included names, contact details, medical bill account numbers, health insurance details, and medical histories. The Social Security numbers of around 250 persons were likewise compromised.
The phishing attack happened in May 2019, however, it was not clear at first which patients, if any, were affected. Forensic investigators only determined in August that patient information was potentially compromised.
Kalispell Regional Healthcare notified all affected patients and offered 12 months of credit monitoring and identity theft protection services for free to patients who had their Social Security numbers potentially compromised.
One patient whose personal and health information was compromised took legal action in relation to the data breach. On November 25, Attorney John Heenan filed the lawsuit in Cascade County District Court in Great Falls, MT. Attorney Heenan is aiming for class-action status for the lawsuit.
The lawsuit claims that Kalispell Regional Healthcare
- was unable to take the required steps to secure the privacy and confidentiality of the personal and health information of patients
- did not follow the best practices and industry benchmarks for protecting patient data
- did not notify patients regarding the breach promptly
Due to the alleged setbacks, the lawsuit claims that patients were placed at risk of identity theft and fraud.
It appears that Henderson’s personal and health information was not misused at the time the lawsuit was filed; nevertheless, he says that he is vulnerable to identity theft and fraud, which can happen at any time since hackers have his information.
Under HIPAA, patients cannot file a suit against healthcare providers for damages because there is no private cause of action. However, patients can take legal action in many states, as in Montana, for cases involving healthcare data breaches.
The Montana Uniform Health Care Information Act permits healthcare data breach victims to file suit against healthcare providers for violations of the Act. The lawsuit claims Kalispell Regional Healthcare has violated the Act.
After learning that patient information was potentially compromised, the health system sent notification letters to the affected patients and reported the breach through local media outlets.
Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, mentioned that this case did not just involve average hackers. They used sophisticated tricks to disguise their tracks. She also explained that patient privacy is a top priority of the health system and there were email security solutions implemented prior to the attack to stop spam and phishing emails. The email security controls block approximately 50,000 inbound email threats daily. She also expressed that CynergisTec conducted an audit of its system in 2018 and declared it to be one of the top 9% of healthcare industry companies with cybersecurity compliance.
Since the phishing attack, the health system improved its email security and conducted more training for employees to increase their awareness on email threats including phishing attacks.