[BreachExchange] Kalispell hospital faces second lawsuit over data breach

[Destry Winant]

https://missoulian.com/news/local/kalispell-hospital-faces-second-lawsuit-over-data-breach/article_f47979cb-acad-5657-87c3-d8a54e9b5298.html

Kalispell Regional Healthcare patients this week filed a second
lawsuit against the northwest Montana healthcare provider after a data
breach may have compromised as many as 130,000 people.

Annette Nevidomsky, one of the plaintiffs in the case, said she
experienced unauthorized charges on her financial accounts. She
believes those unauthorized charges were incurred as a result of the
breach, which took place in May, although Kalispell Regional
Healthcare did not announce the breach until October.

The lawsuit, filed on Dec. 24, seeks to certify a class of all
Kalispell Regional's patients whose private healthcare information was
compromised in the breach. The filing includes two plaintiffs at this
point, including Nevidomsky.

William Henderson, a Cascade County resident, leveled a similar
lawsuit against Kalispell Regional Healthcare in November claiming the
hospital violated the Montana Uniform Health Care Information Act,
which states a victim of such a breach can seek damages from the
health care provider if the company is found to be in violation of the
act.

The second lawsuit also alleges a violation of the Montana Uniform
Health Care Information Act.

"KRH recently became aware of a lawsuit related to the data security
event announced in October. We have not had the opportunity to
thoroughly review the complaint and are not prepared to comment on its
allegations,"Kalispell Regional spokesperson Mellody Sharpton told the
Missoulian in an email on Thursday.

"KRH is, however, disappointed about the lawsuit. We value our
relationships with our patients and take safeguarding their privacy
very seriously," Sharpton added.

A voicemail left for William Rossbach, representing the plaintiffs in
the newer lawsuit, seeking comment was not returned Thursday.

The breach was carried out through a "sophisticated cyberattack," in
which employees responded to a phishing email inadvertently disclosing
their login credentials. The hospital was not aware of the extent of
the attack until an outside forensic firm completed a review for the
hospital.

Since the breach, the hospital has taken steps to help employees learn
how to identify suspicious emails, according to the earlier lawsuit.
Kalispell Regional had offered all notified patients complimentary
fraud consultation and identity theft restoration services.