130,000-Record Data Breach Results in Legal Action Against Kalispell Regional Healthcare

by | Dec 5, 2019

A legal action is being taken against Kalispell Regional Healthcare in Montana in relation to a phishing attack in which cybercriminals obtained access to employee email accounts including the protected health information of almost 130,000 clients.

The impacted email accounts included patient information such as names, contact information, medical bill account numbers, medical records, and health insurance information. Around 250 people also had their Social Security number obtained.

The phishing attack took place during May 2019, but it was not first clear which, if any, patients had been impacted. It took until August for forensic investigators to deduce that patient information had potentially been impacted.

All impacted patients were made aware of the issue, and the health system offered one year of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been impacted.

One of the patients whose personal and health information was impacted has now taken legal action in relation to the data breach. The legal action was submitted in Cascade County District Court in Great Falls, MT on November 25 by attorney John Heenan. Heenan is seeking class action status for the legal action.

The legal action claims Kalispell Regional Healthcare did not implement necessary measures to keep patients’ personal and health information private and confidential, it did not abide by best practices and industry practices for securing patient data, and that the health system failed to alert patients about the breach in a timely manner. As a result of the alleged failures, it the legal action claims patients have been placed at risk of identity theft and fraud.

It does not seem that Henderson’s personal and health information has been improperly used at the time the legal action was submitted; however, he claims that he is at risk of identity theft and fraud, which could occur at any time now that his information is in the hands of hackers.

Patients cannot sue healthcare providers for damages under HIPAA as there is no private cause of action, but it is possible to take legal action in many states over healthcare data breaches, as is the situation in Montana.

The Montana Uniform Health Care Information Act allows those impacted in healthcare data breaches to take legal actions against healthcare providers for violations of the Act. The lawsuit alleges Kalispell Regional Healthcare is breaching the Act.

After it became clear that patient information had possibly been compromised, the health system issued alerts to impacted patients and reported the breach local media outlets.

Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, stated that:  “This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy