A previously approved $4.3 million settlement of a class action lawsuit for HIPAA training failures and non-compliance with the Security Rule can go ahead after an appeal against the amount deducted for attorneys’ fees was dismissed.
In February 2022, Logan Health – a major health system based in Kalispell, MT – notified HHS’ Office for Civil Rights that hackers had accessed a file server containing the Protected Health Information of 213,543 patients. The information accessed included names, addresses, medical record numbers, dates of birth, insurance claim information, treating and/or referring physician, medical bill account number, and/or health insurance information.
As well as notifying each affected patient of the data breach, Logan Health offered twelve months of identity monitoring services to protect patients from identity theft and insurance fraud. However, for some affected patients, this was not enough. A number of lawsuits were filed on behalf of affected patients, and these were consolidated into a class action lawsuit in April 2022 (Tafelski, et al. v. Logan Health Medical Center).
In the class action lawsuit for HIPAA training failures and non-compliance with the Security Rule, the plaintiffs alleged that Logan Health had failed to provide sufficient security awareness training to its workforce and had failed to implement reasonable and appropriate cybersecurity measures. The plaintiffs argued that if adequate security awareness training had been provided to members of the workforce, the data breach would not have occurred.
The Background to the Lawsuit for HIPAA Training Failures
Although Logan Health denied the allegations, the health system had previously notified HHS’ Office for Civil Rights of an earlier data breach in October 2019. This data breach had been attributable to multiple members of the workforce falling for phishing emails. The unsecured PHI of 149,661 patients was disclosed in the phishing attack including names, dates of birth, claims information, diagnoses, medications prescribed, and other treatment information.
Following the 2019 data breach, Logan Health sought technical assistance from HHS’ Office for Civil Rights and was supposed to have implemented additional technical and administrative safeguards (including HIPAA training) to support HIPAA compliance. However, according to the notification letter for the 2022 breach, the hackers had first hacked the compromised file server shortly after HHS’ Office for Civil Rights had finished providing technical assistance.
Because of Logan’s Health alleged failure to resolve the issues responsible for the 2019 data breach, plaintiffs in the “Tafelski” class action lawsuit for HIPAA training failures claimed to have suffered the compromise, publication, theft and/or unauthorized use of their PHI, out-of-pocket costs from the prevention, detection, recovery, and remediation from identity theft or fraud, lost opportunity costs and lost wages, and that they faced a continued risk to their PHI.
Logan Settles for $4.3 Million, but the Lawsuit is Appealed
Although Logan Health continued to deny the allegations, the health system chose to settle the class action lawsuit for HIPAA training failures for $4.3 million without an admission of liability. However, the proposed distribution of the settlement was jeopardized by a Cascade County District Court judge awarding the attorneys who acted on behalf of the plaintiffs almost $1.3 million in fees – almost a third of the total settlement.
Several beneficiaries of the settlement appealed the award – alleging that a motion of discovery (for a breakdown of the attorneys’ costs) had been rejected by the District Court and that Logan Health had colluded with the attorneys during settlement negotiations. Both Logan Health and the attorneys denied the allegations and, on September 18, 2023, the Montana Supreme Court dismissed the appeal – clearing the way for the settlement to go ahead.