Cybersecurity News

Logan Health Reaches $4.3M Settlement Following Healthcare Data Breach Lawsuit

Logan Health suffered a healthcare data breach in November 2021 that impacted more than 213,000 individuals and led to potential unauthorized PHI access.

Logan Health Reaches $4.3M Settlement Following Healthcare Data Breach Lawsuit

Source: Getty Images

By Jill McKeon

- Logan Health Medical Center in Kalispell, Montana reached a $4.3 million settlement to resolve a class action lawsuit stemming from a Fall 2021 healthcare data breach. Class members may be eligible to receive up to $25,000 in reimbursements for out-of-pocket losses, as well as $125 per class member for reimbursement of lost time and up to three years of credit monitoring services.

In November 2021, Logan Health discovered suspicious activity and later found evidence of unauthorized access to one file server containing information about patients, employees, and business associates.

Specifically, the unauthorized actor may have had access to Social Security numbers, names, email addresses, phone numbers, and birth dates. The breach impacted more than 213,000 individuals.

“This event is a painful reminder that each of us plays an important role in protecting our patients’ private health information,” Logan Health’s February 2022 letter to victims stated.

“Securing logins and passwords, not clicking on unfamiliar links and being mindful of locations for storing sensitive information are important safeguards that should be followed at all times.”

After notifying impacted individuals of the breach, Logan Health faced a class action lawsuit initiated by patients who alleged that Logan Health failed to adequately protect their health information. Logan Health denied any wrongdoing and agreed to the settlement.

The multi-million-dollar settlement was not Logan Health’s first. Logan Health was previously called Kalispell Regional Healthcare (KRH) and suffered another data breach in 2019 when multiple employees fell victim to a phishing attack.

KRH did not discover the attack for multiple months, resulting in potential unauthorized access to Social Security numbers, medical records numbers, insurance information, provider names, dates of services, contact information, birthdates, and medical histories.

KRH reached a $4.2 million settlement in 2020 following allegations that the health system failed to employ appropriate cyber defenses.