[BreachExchange] Kalispell hospital sued over data breach

Destry Winant destry at riskbasedsecurity.com
Thu Dec 5 10:16:00 EST 2019


Kalispell Regional Healthcare, northwest Montana's largest healthcare
provider, was sued late last month by one of the 130,000 patients
whose information was possibly compromised in a data breach announced
by the hospital in October.

William Henderson, represented by Billings attorney John Heenan, filed
the civil complaint in Cascade County District Court on Nov. 25. The
suit alleges Kalispell Regional Healthcare failed to take the
necessary steps to protect patients' private information before the
breach. The complaint seeks to certify more plaintiffs into a class
action lawsuit.

"This has been a way that criminals have tried to gain access to
peoples' private information and specifically their private healthcare
information," Heenan said in a phone interview Wednesday. "It's our
contention by filing this lawsuit that they should have done a lot
better by their patients in protecting that information."

Mellody Sharpton, a spokeswoman for Kalispell Regional Healthcare,
said Wednesday she did not have enough information available to
comment on the filing.

However, since the breach, the hospital has taken steps to help
employees learn how to identify suspicious emails, according to the
lawsuit. The Inter Lake reported Kalispell Regional offered all
notified patients complimentary fraud consultation and identity theft
restoration services.

The hospital fell victim to the cyber attack in May, when hackers used
emails to lure the hospital's employees into providing login
credentials, the Daily Inter Lake reported. Kalispell Regional
Healthcare was not aware of the extent of the attack until an outside
forensic firm completed a review for the hospital. Authorities
estimate 250 patients' Social Security numbers "may have been taken"
in the breach.

Henderson's lawsuit alleges the data breach was "caused by KRH's
failure to abide by best practices and industry standards" in securing
patient data. The suit also alleges Kalispell Regional Healthcare did
not notify patients of the nature and extent of the information
breached clearly nor in a timely manner. As a result, patients have
been left exposed to identity theft, the suit states.

Henderson's claim against Kalispell Regional stands on the Montana
Uniform Health Care Information Act, which states a victim of such a
breach can seek damages from the health care provider if the company
is found to be in violation of the act.

More information about the BreachExchange mailing list