Logan Health in Montana is facing multiple breach lawsuits after reporting an IT systems hack that led to the access of personal and health information for 213,543 patients, employees and business associates. The lawsuit claims the incident was caused by its failure to implement adequate security measures.
As first reported, a sophisticated cyberattack against the Logan Health IT systems enabled access to one of eight file servers containing protected health information in November 2021. The subsequent investigation found the files were subjected to unauthorized access to a range of data, including Social Security numbers, dates of birth and contact information.
What was overlooked in the first report was that this was the second healthcare data breach reported by the Montana health system in less than three years. Logan Health rebranded itself from Kalispell Regional Healthcare in May 2021, to “bring consistency and connectivity to services across the system.”
Prior to rebranding, a 2019 phishing attack led to a monthslong incident that compromised the medical data of 130,000 patients, including SSNs, birthdates, contact details, medical histories, insurance data, medical record numbers, insurance details, provider names and other sensitive data. They reached a $4.2 million settlement with patients in December 2020.
Logan Health is now facing at least two more lawsuits, one filed March 15 and the other filed earlier this week in the Great Falls Division of the U.S. District Court of Montana.
The latest filings also note the previous breach and lawsuit, noting that Logan Health “claimed to be taking ‘further steps to revise procedures that will minimize the risk of a similar event happening again.’”
The lawsuit claims the 2021 incident occurred due to the provider failing to adhere to these representations, in addition to failing to reasonably train employees and/or implement procedures or protocols that would have prevented the hack from occurring.
In terms of harm, the filing references data that shows the average out-of-pocket costs for medical ID theft victims can average up to $19,000 and more than 200 hours in resolving the situation. The claims of harm outlined in the lawsuit center around potential and future losses.
The lawsuit also argues the one-year of identity theft protection offered by Logan Health is “grossly inadequate.”
“Particularly because Logan Health has demonstrated an inability to prevent a breach or stop it from continuing even after being detected, [individuals] have an undeniable interest in ensuring that their PII/PHI is secure, remains secure, and is not subject to further theft,” according to the suit.
The lawsuit also claims Logan Health failed to timely notify individuals of the data breach, as notices were sent about 30 days after the 60-day requirement outlined in The Health Insurance Portability and Accountability Act (HIPAA).
The impacted patients are seeking to address whether Logan Health breached its duties and/or acted negligently by failing to take necessary precautions to protect patient information, as well as whether its failures violated the Montana Consumer Protection Act.
The impacted individuals are seeking legal relief in the form of actual and treble damages, injunctive relief, attorneys’ fees, and further relief, such as compensatory and punitive damages.
Logan Health joins a laundry list of providers facing lawsuits following data breaches impacting more than 50,000 patients. With the Supreme Court defining the need for victims to show evidence of actual harm caused by a breach, a growing number of these suits are settled out of court or dismissed.