Patient Privacy News

$4.2M Settlement Proposed in Kalispell Regional Breach Lawsuit

The 130,000 patients affected by a months-long data breach at Kalispell Regional Healthcare in 2019 reached a $4.2 million settlement with the Montana provider.

healthcare data breach lawsuit policy and regulation cybersecurity phishing attack employee security training

By Jessica Davis

- A proposed $4.2 million settlement has been reached in the lawsuit filed against Kalispell Regional Healthcare (KRH) and the 130,000 patients affected by a monthslong data breach reported by the Montana provider in 2019.

The proposed settlement was filed in the Eighth Judicial District Court in Montana, for which a hearing will be held January 5, 2021 to determine whether the agreement will be approved and if it will be certified as a class-action lawsuit. Kalispell denies any wrongdoing, and no judgment or determination of wrongdoing has been made.

Filed in December 2019, the lawsuit stems from a phishing attack on KRH discovered during the summer of 2019.

Several employees fell victim to a highly sophisticated phishing attack in May 2019, responding to the malicious emails with their KRH credentials. As a result, the hackers gained access to their accounts beginning on May 24, 2019 and was not discovered by KRH officials for several months.

As a result, the attackers may have potentially accessed a range of data that varied by patient, including Social Security numbers, medical records numbers, insurance information, provider names, dates of services, contact information, birthdates, medical histories, and other sensitive information.

Notably, About 250 SSNs were stolen by the attackers during the cyberattack.

One of the breach victims, William Henderson, soon filed a lawsuit against KRH for failing to properly secure patient data. The breach notice explained KRH strengthened its security and provided employees with further training on identifying suspicious emails, following the phishing incident.

According to the lawsuit, the breach was able to occur as KRH failed to implement adequate and reasonable training of employees, as well as the needed security policies and protocols to protect patient information prior to the breach, which would have “at least detected the breach much earlier.”

Further, the lawsuit argued that KRH failed to adhere to industry-recognized standards and best practices and also claimed KRH failed to provide patients with timely breach notifications.

“KRH failed to employ any of these defenses,” according to the suit. “As evidenced by the success of the phishing hack, it’s clear that KRH failed to ensure that its employees were adequately trained on even the most basic of cybersecurity protocols, including how to detect phishing emails and other scams [and] effective password management and encryption protocols…”

“KRH’s failures handed criminals patient protected health information and personally identifiable information and put [patients] at serious, immediate, and ongoing risk for identity theft and fraud,” the suit continued.

The lawsuit further argued that KRH violated the Montana Uniform Health Care Information Act. As such, the lawsuit sought actual and statutory damages, related breach costs and expenses, attorneys’ fees, and further relief deemed by the court.

Under the proposed settlement, KRH would establish a $4.2 million settlement fund within 21 days of approval by the court to cover all patients’ associated financial losses caused by the breach.

Breach victims would be entitled to up to $15,000 for reimbursement of out-of-pocket losses, and up to five hours at $15 per hour for time spent on actions taken in response to the breach, capped at $75 per victim.

The settlement also carved out three years of credit monitoring services and five years of identity restoration services for eligible victims.

KRH would also be required to provide counsel with the remedial actions taken by the provider following the security incident, including cybersecurity training and awareness programs, data security policies, security measures, restrictions to accessing PHI,and monitoring and response capabilities.

If approved, the KRH breach settlement would become one of the more expansive agreements seen in recent years. For example, the $2.8 million UnityPoint Health settlement provided victims with up to $6,000, compared with the KRH settlement alloting patients up to $15,000 for reimbursement of breach-related fees.

While the number of lawsuits tied to healthcare data breaches has expanded this year, most providers opt to settle with breach victims out of court. Recent breach settlements with Saint Francis Healthcare, Banner Health, and Grays Harbor Community Hospital, focused more on requiring the breached providers to bolster cybersecurity programs.