A legal action is being taken against Kalispell Regional Healthcare in Montana in relation to a phishing attack in which cybercriminals obtained access to employee email accounts including the protected health information of almost 130,000 clients.
The impacted email accounts included patient information such as names, contact information, medical bill account numbers, medical records, and health insurance information. Around 250 people also had their Social Security number obtained.
The phishing attack took place during May 2019, but it was not first clear which, if any, patients had been impacted. It took until August for forensic investigators to deduce that patient information had potentially been impacted.
All impacted patients were made aware of the issue, and the health system offered one year of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been impacted.
One of the patients whose personal and health information was impacted has now taken legal action in relation to the data breach. The legal action was submitted in Cascade County District Court in Great Falls, MT on November 25 by attorney John Heenan. Heenan is seeking class action status for the legal action.
The legal action claims Kalispell Regional Healthcare did not implement necessary measures to keep patients’ personal and health information private and confidential, it did not abide by best practices and industry practices for securing patient data, and that the health system failed to alert patients about the breach in a timely manner. As a result of the alleged failures, it the legal action claims patients have been placed at risk of identity theft and fraud.
It does not seem that Henderson’s personal and health information has been improperly used at the time the legal action was submitted; however, he claims that he is at risk of identity theft and fraud, which could occur at any time now that his information is in the hands of hackers.
Patients cannot sue healthcare providers for damages under HIPAA as there is no private cause of action, but it is possible to take legal action in many states over healthcare data breaches, as is the situation in Montana.
The Montana Uniform Health Care Information Act allows those impacted in healthcare data breaches to take legal actions against healthcare providers for violations of the Act. The lawsuit alleges Kalispell Regional Healthcare is breaching the Act.
After it became clear that patient information had possibly been compromised, the health system issued alerts to impacted patients and reported the breach local media outlets.
Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, stated that: “This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks.”