Breach Notification , Cybercrime , Electronic Healthcare Records
Healthcare Entity Reports Another Big Hacking Incident
Recent Breach Affects Nearly 214,000; Incident in 2019 Affected 140,000A Montana-based healthcare organization is notifying nearly 214,000 individuals of a hacking incident affecting patients, employees and business associates. The breach - described as a "sophisticated criminal attack" - is the second major hacking incident reported by the entity since 2019.
See Also: How Overreliance on EDR is Failing Healthcare Providers
In a breach report filed on Tuesday to the state of Maine's attorney general, Kalispell, Montana-based Logan Health Medical Center, formerly known as Kalispell Regional Healthcare, says an "external system" hacking incident discovered in November 2021 affected 213,543 individuals, including four Maine residents.
In October 2019, while still called Kalispell Regional, the organization reported to the U.S. Department of Health and Human Services an email phishing incident affecting more than 140,000 individuals (see: Phishing Schemes Continue to Plague Healthcare Sector).
The Latest Hack
In a sample breach notification letter provided to the Maine attorney general's office, Logan Health says that on Nov. 22, 2021, it discovered suspicious activity in its IT systems, "including evidence of unauthorized access to one file server that includes shared folders for business operations."
On Jan. 5, the organization's investigation into the incident determined that there was unauthorized access to certain files containing personal information of patients, employees and business associates, Logan Health says. The information potentially compromised varies by individual, it says.
Logan Health says affected information includes name, address, medical record number, date of birth, telephone number, email address, insurance claim information, dates of service, treating/referring physician, medical bill account number and/or health insurance information.
In a notice posted on its website, Logan Health describes itself as "a victim of a highly sophisticated criminal attack on our information technology systems, which may have involved patients' personal information."
In the wake of the incident, Logan Health says it has deployed "additional safeguards to further fortify" its information systems.
Logan Health is a health system that includes five hospitals, with a total of 577 beds, plus more than 40 provider clinics and a number of other healthcare services in the Flathead Valley of northwest Montana.
The Earlier Breach
In October 2019, before it was renamed Logan Health, Kalispell reported a data breach whose description is similar to that of the recent incident - a "highly sophisticated attack."
In a breach notification statement related to the earlier incident, Kalispell said it discovered during the summer of 2019 that several employees "were victims of a well-designed email that led them to unknowingly provide their [Kalispell] login credentials to malicious criminals."
The organization's investigation determined that some patients' information may have been accessed as early as May 24, 2019.
Kalispell reported the breach to HHS' Office for Civil Rights as affecting 140,209 individuals' information, including name, Social Security number, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, date of service, treating/referring physician, medical bill account number and/or health insurance information.
The organization's 2019 breach notification said Kalispell had "taken steps to prevent similar events from occurring in the future."
Regulatory Scrutiny?
Regulatory attorney Paul Hales of Hales Law Group says that it is generally HHS OCR’s preference to provide technical assistance to a cooperating organization following a HIPAA violation, in lieu of engaging "higher levels" of enforcement.
"That likely happened in 2019," he says regarding the earlier breach reported by Kalispell.
"However, when an organization violates HIPAA shortly after receiving technical assistance, OCR has been inclined to require a settlement payment and corrective action plan while citing its previous technical assistance to the organization," he says.
Logan’s breach notification "follows the usual practice of advising affected individuals about steps they should take to protect themselves from financial consequences of identity theft," he says. Logan is offering one year of credit and identity monitoring.
"However, Logan has not provided advice about steps to detect medical identity theft, which is the fastest growing form of identity theft and the most dangerous to patient safety and well-being," Hales says.
"We are beginning to see HIPAA breach notifications that do include steps to detect and protect against medical identity theft, like reviewing your medical record for suspicious entries. We hope that will become the norm."
Logan Health did not immediately respond to Information Security Media Group's request for additional details about the two incidents.