Logan Health Faces Lawsuit in Wake of Hacking Incident

March 14, 2022 - A victim of a November hacking incident against Logan Health Medical Center recently filed a class-action lawsuit against the Montana medical center, alleging negligence and invasion of privacy. Logan Health suffered a cyberattack in November 2021 that impacted 213,543 individuals.  

Logan Health discovered suspicious network activity on November 22, 2021, and later found evidence of unauthorized access to one file server containing information about patients, employees, and business associates.

Specifically, the unauthorized actor may have had access to Social Security numbers, names, email addresses, phone numbers, and birth dates. Logan Health began notifying impacted individuals of the event on February 22.

Logan Health said it was working to implement additional security safeguards and employee training in light of the incident, as well as providing 12 months of identity monitoring services to impacted individuals.

But the lawsuit, filed by patient Allison Smeltz, alleged that 12 months of identity monitoring services was “grossly inadequate” considering the extent of the breach. In addition, the lawsuit claimed that Logan Health was negligent in preventing this data breach considering its past.

“This data breach isn’t the first time Logan Health has allowed patient information to be compromised. The hospital has also previously reported a January 2021 data breach to the Montana Attorney General’s Office that affected 2,081 Montanans,” the lawsuit stated.

“In 2019, Logan Health, under its previous name of Kalispell Regional Healthcare, reported a breach to the Montana AG’s Office that affected 126,805 Montanans. Following the 2019 breach, Logan Health claimed to be taking ‘further steps to revise procedures that will minimize the risk of a similar event happening again’ and that ‘We...have taken steps to prevent similar events from occurring in the future.’”

The plaintiff argued that if Logan Health had in fact implemented additional safeguards in 2019, the 2021 breach might not have happened. They also claimed that Logan Health should have known how valuable protected health information (PHI) was on the black market and prepared accordingly.

As a result of Logan Health’s alleged negligence, the plaintiff argued that data breach victims would suffer from the diminished value of their PHI. In addition, patients will have to incur out-of-pocket costs associated with identity theft prevention.

These claims of harm are often difficult to quantify, especially since Ramirez v. TransUnion, in which the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage.

The June 2021 ruling signified a significant shift in how data breaches are handled in court. Plaintiffs must now prove that they suffered a concrete injury to claim Article III standing.

A judge recently dismissed a class-action lawsuit filed against medical practice management company Practicefirst, citing insufficient evidence of actual harm.

In the Logan Health case, the plaintiff also alleged that the medical center violated the Montana Consumer Protection Act by engaging in “unfair or deceptive acts or practices,” including failing to secure PHI and failing to disclose the breach in a timely manner.