Breach, Incident Response, Privacy

Logan Health agrees to $4.3M settlement after 2021 health data breach

A scattering of $100 bills are seen
Logan Health Medical Center reached a $4.3 million settlement with more than 213,000 patients and employees affected by 2021 cyberattack. ("Cash Money (part two)" by jtyerse is licensed under CC BY-NC-ND 2.0.)

Logan Health Medical Center has reached a $4.3 million settlement with the 213,543 patients and employees whose personal and protected health information was likely accessed during a Nov. 22, 2021, cyberattack.

This is the second breach-related lawsuit settled by the Montana provider in less than three years. Prior to rebranding from Kalispell Regional Healthcare in May 2021, the health system reported an undetected phishing attack in 2019 that led to a monthslong data compromise for 130,000 patients.

The incident exposed Social Security numbers, birthdates, contact information, medical histories, insurance data, medical record numbers, insurance details, provider names, and other sensitive data.

The hospital was sued by patients after that incident, leading to a $4.2 million settlement in December 2020. If the latest proposal is approved, Logan Health will have paid $8.5 million in breach settlements in less than three years.

The latest settlement stems from several lawsuits filed in April 2022 and later merged into a class action suit. The breach victims claimed that a 2021 server hack and subsequent patient data compromise was caused by Logan Health’s failure to implement adequate security measures.

During the incident, an attacker gained access to one of eight file servers and accessed both patient and employee health information. The exposed data varied by individual and including names, Social Security numbers, dates of birth, contact information, and email addresses.

The lawsuit took aim at Logan Health’s previous security incident and lawsuit settlement, noting that the health system already “claimed to be taking ‘further steps to revise procedures that will minimize the risk of a similar event happening again.’”

The breach victims further alleged that the 2021 incident was directly caused by the provider failing to adhere to representations expressed in the past breach notice. In particular, Logan Health was accused of failing to reasonably train employees and/or implement procedures or protocols that would have prevented the second security incident.

“Particularly because Logan Health has demonstrated an inability to prevent a breach or stop it from continuing even after being detected, [individuals] have an undeniable interest in ensuring that their PII/PHI is secure, remains secure, and is not subject to further theft,” according to the lawsuit.

As such, the filing asserted that the one-year of identity theft protection offered by the provider was “grossly inadequate.”

The purported harm outlined in the lawsuit included references outlining the cost of medical identity theft recovery, which averages up to $19,000 and over 200 hours to resolve the issue. The suit did not, however, detail whether the breach victims had actually experienced these worst-case scenarios as a direct result of the 2021 breach.

The proposed settlement appears to take these issues into account and requires Logan Health to share details into the actions it has already taken or its plans to strengthen the cybersecurity training and awareness programs, data policies, security measures, and data restrictions, as well as its monitoring and response capabilities.

Individuals affected by the 2021 incident can also file claims to be reimbursed for up to $25,000 in out-of-pocket expenses directly tied to the breach and up to $125 for documented instances of time lost responding to the incident. The settlement also includes alternate cash payments and free credit monitoring for affected individuals.

Logan Health also agreed to pay “attorneys’ fees not to exceed one-third” of the settlement and “reimbursement of litigation costs and expenses not to exceed $150,000,” according to the settlement proposal.

The proposal is subject to final approval, which is scheduled for March 9.

Current healthcare data breach lawsuit trends

Logan Health joins an increasingly long list of provider organizations to be hit with a patient-led lawsuit after a reported security incident. Like Logan Health, the vast majority of these cases are settled to limit prolonged litigation.

As SC Media reported in May 2022, healthcare data breach litigation has been equated to modern-day ambulance chasing. In the days following an incident report, law firms will set up websites advertising “investigations” into reported incidents and seeking breach victims to join possible class-action suits.

BakerHostetler confirms data breach lawsuits filed against hospitals in this fashion have rapidly grown in the last few years, even after the Supreme Court ruled that victims must provide evidence of concrete harm to pursue a case. In many of these filings, that evidence is missing.

The trend will likely continue into the coming year, with healthcare data breach lawsuits already stacking up.

CommonSpirit Health was just hit with another breach lawsuit after its massive outage and data exfiltration incident last year. The lawsuit joins four filings issued in just the last month against Maternal & Family Health Services, Shields Health Care Group, Retreat Behavioral Health, and Connexin Software after their own security incidents and patient data compromises.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.