Class Action Filed in Logan Health Breach Affecting 214,000Negligence Alleged; Entity Settled a Lawsuit in an Earlier Hacking Incident
A proposed class action lawsuit against a Montana-based healthcare organization in the wake of a recent hacking incident affecting nearly 214,000 individuals - the entity's second significant breach since 2019 - alleges, among other claims, that the entity was negligent when it failed to protect sensitive data.
The lawsuit was filed against Logan Health Medical Center - formerly called Kalispell Regional Healthcare - on March 9 in a Montana federal court by patient Allison Smeltz on behalf of herself and others similarly affected by a hacking incident discovered in November 2021.
Logan Health reported the breach, which it described as a "highly sophisticated criminal attack" on its IT systems, to state and federal regulators last month as affecting nearly 214,000 individuals (see: Healthcare Entity Reports Another Big Hacking Incident).
Besides alleging that Logan Health was negligent in failing to secure sensitive personally identifiable information and protected health information, the lawsuit accuses the Kalispell, Montana-based organization of alleged invasion of privacy, breach of implied contract, unjust enrichment and violations of Montana's Consumer Protection Act.
Logan Health - while still operating under the Kalispell Regional Health name - in 2020 agreed to a multimillion-dollar settlement in another class action lawsuit related to a separate 2019 hacking incident that affected 140,000 individuals.
Proposed Class Action Lawsuit
The proposed federal class action lawsuit complaint filed against Logan Health last week involving the 2021 breach says that Kalispell Regional, after its 2019 hacking incident, claimed to be taking "further steps to revise procedures that will minimize the risk of a similar event happening again" and that the organization said it had "taken steps to prevent similar events from occurring in the future.’”
But, the lawsuit alleges: "The 2021 data breach occurred because, despite representations to the contrary, Logan Health failed to implement adequate and reasonable training of employees and/or procedures and protocols which would have prevented the data breach from occurring."
"Logan Health's conduct in view of its previous data breach incidents constitutes 'fraud' or 'malice' as those terms are defined under Montana law for purposes of imposing punitive damages," the complaint alleges.
2021 Breach Details
In a sample breach notification letter provided to the Maine attorney general's office on Feb. 22, Logan Health says that on Nov. 22, 2021, it discovered suspicious activity in its IT systems, "including evidence of unauthorized access to one file server that includes shared folders for business operations."
On Jan. 5, the organization's investigation into the incident determined that there had been unauthorized access to certain files containing personal information of patients, employees and business associates, Logan Health says.
The information potentially compromised varies by individual, but includes name, address, medical record number, date of birth, telephone number, email address, insurance claim information, dates of service, treating/referring physician, medical bill account number and/or health insurance information, it says.
In October 2019, before it was renamed Logan Health, Kalispell reported a data breach affecting more than 140,000 individuals, which was described as being similar to that of the recent incident - a "highly sophisticated attack."
In a breach notification statement related to the earlier incident, Kalispell said it discovered during the summer of 2019 that several employees had been "victims of a well-designed email that led them to unknowingly provide their [Kalispell] login credentials to malicious criminals."
Kalispell Regional Healthcare in December 2020 settled a class action lawsuit for $4.2 million that had been filed in Montana state court in the aftermath of the 2019 breach. Among other claims, that lawsuit alleged violations of various Montana state laws.
Also, following the earlier hacking incident, a proposed class action lawsuit was filed in December 2019 in a Montana federal court against Kalispell Regional by several patients affected by the breach. But that federal lawsuit was voluntarily dismissed by the plaintiffs in March 2020.
Logan Health did not immediately respond to Information Security Media Group's request for comment.
Experts say important lessons are emerging from the Logan Health situation, especially considering that the organization experienced two significant hacking incidents within a short time period, both resulting in legal action.
"Two significant breaches, virtually back to back, call into question its ability to safeguard patient health information," says regulatory attorney Paul Hales of the Hales Law Group. "Publicity about the breaches and lawsuits is no doubt causing Logan to suffer incalculable reputation damage," he says.
All covered entities and business associates should heed these incidents "as yet another reason to review or refresh their HIPAA compliance programs and particularly their risk analysis and risk management activities immediately," he says.
Regulatory attorney Rachel Rose says that any major data breach should underscore the importance of adopting a National Institute of Standards and Technology-prescribed approach to cybersecurity - prevention, detection and correction.
Also, under HIPAA, failing to do several critical actions is "problematic," she says. Those include annual risk analysis, annual training, annual review and update of comprehensive policies and procedures, business associate agreements, and encryption at rest and in transit.
"Ransomware attacks are becoming more sophisticated, so it is important to get a forensic team in to discern whether or not there is a lingering malware," Rose says. "It may be hidden, which is another reason to file with the FBI's online portal."
She also says organizations should keep in mind that cyber insurance is becoming both harder to obtain and more expensive. "Think of two cyberattacks like having multiple car accidents - rates go up, even if it is not your fault."