Updated March 15, 2022
What could be worse that a major healthcare data breach affecting nearly 130,000 patients? A second major breach two years later affecting over 200,000 patients is worse!
When a health system’s network is hacked and patient data is exposed expenses pile up, patient care suffers and a reputation is tarnished. For breaches affecting 500 or more people, the Office of Civil Rights (OCR), the HIPAA enforcement agency, will come knocking to investigate what went wrong.
Healthcare data breaches are expensive and potentially damaging to patients. When it happens, the best outcome is an improved system – learning from what went wrong, making improvements to tighten security, and reducing the risk of it happening again. But something went wrong for a regional health system in Montana serving hundreds of thousands of patients in the western part of the state. Two major breaches in two and a half years under similar circumstances.
Logan Health in Kalispell, Montana (formerly known as Kalispell Regional Health) operates five hospitals, with a total of 577 beds, and more than 40 provider clinics and a number of other healthcare services throughout northwest Montana.
In addition to the two major breaches which both trigger OCR investigations, Logan Health is now facing a federal class action lawsuit filed on March 9, 2022 in Montana’s district court – this is actually the second class action Logan has defended – one was settled in December, 2020 for $4.2 million (noted below).
Healthcare Data Breaches Back-to-Back
Breach Reported in February 2022
Logan Health recently reported a breach of protected health information (PHI) affecting nearly 214,000 patients. Logan explained in its breach notice that on November 22, 2021, it discovered suspicious activity in its IT systems, “including evidence of unauthorized access to one file server that includes shared folders for business operations.” The information compromised includes name, address, medical record number, date of birth, telephone number, email address, insurance claim information, dates of service, treating/referring physician, medical bill account number and health insurance information.
Breach Reported in October 2019
But this is the second major breach for Logan Health in two and a half years. In the summer of 2019 criminal hackers used phishing to trick Logan employees into providing their log-in credentials for the healthcare system’s network. The PHI of nearly 130,000 patients was compromised. An OCR investigation followed, and a private class action lawsuit in state court. Ultimately the lawsuit settled for $4.2 million. Information accessed by the hackers in 2019 apparently included names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, medical history and treatment information, dates of service, treating physicians, medical bill account numbers, health insurance information, and even Social Security numbers.
Scrutiny from OCR
We are not aware of an investigation settlement with OCR for the first event in 2019. Even if the investigation uncovered HIPAA violations – failure to do a HIPAA Risk Analysis for example, or inadequate employee training – OCR’s preference to provide technical assistance to an organization that cooperates and accepts help, in lieu of engaging “higher levels” of enforcement like a fine or a corrective action plan.
It will be interesting to see how the investigation of the more recent breach unfolds. The outcome depends on whether Logan Health took the required action steps after the first breach, for example, whether they have all the policies required, whether they conduct enterprise-wide Risk Analysis, (and have all the required Security Rule safeguards in place), and provide employee training, among other things.
Class Action Lawsuit for Negligence and Violation of Montana Law
Regarding the recent class action lawsuit, courts are increasingly reluctant to hear cases where there is not enough evidence of actual harm resulting from the breach. If the plaintiffs can show actual harm rather than speculative or future harm, they have a better chance of success. Even if the case is not ultimately successful, a federal lawsuit is costly. Defending a lawsuit is a major distraction, demanding management’s time, payment of legal fees, and potentially, a settlement payment.