Kalispell Regional Healthcare Offers to Pay 4.2 Million to Settle Data Breach Lawsuit

Kalispell Regional Healthcare located in Montana has made a proposal to pay a $4.2 million to settle a legal action filed on behalf of patients affected by a data breach that was published in October 2019.

The lawsuit was filed right after the notification that the protected health information (PHI) of around 130,000 patients were impermissibly exposed because of a phishing attack. Unauthorized persons acquired access to a number of email accounts after workers clicked hyperlinks in phishing emails and exposed their login information. The attackers initially got access to the email accounts on May 24, 2019 and got access to the accounts for a few months. The breached email accounts kept sensitive data that include names, phone numbers, addresses, dates of birth, Social Security numbers, health record numbers, medical background, and medical insurance details. The hackers stole approximately 250 Social Security numbers.

The legal case alleged that Kalispell Regional Healthcare didn’t use suitable procedures to safeguard the privacy of patient records, had not instructed its employees on sufficient security awareness, and wasn’t efficiently keeping track of potential compromises. If it did, it would have been able to identify the breach a lot more immediately. The lawsuit furthermore claimed Kalispell Regional Healthcare did not send breach victims prompt notices, did not comply with industry-accepted criteria and cybersecurity guidelines and violated the Montana Uniform Health Care Information Act.

Before the data breach, Kalispell Regional Healthcare mentioned it had carried out various cybersecurity measures to maintain the privacy and confidentiality of PHI of patients. During the breach, a top-rated cybersecurity consulting company stated that Kalispell Regional Healthcare placed in the top 9% of healthcare companies for cybersecurity conformity, however the measures applied were still not adequate to avert the breach.

Kalispell Regional Healthcare determined to resolve the lawsuit to conclude the lawsuit and avert recurring legal charges. The organization didn’t admit doing any mistake or have any liability because of the data breach.

As perAs per the conditions of the settlement, Kalispell Regional Healthcare will give a $4.2 million funding to pay for diverse forms of relief for impacted persons, which include return for out-of-pocket costs, compensation for time spent attending to identification restoration services and credit-monitoring services, free membership to Experian credit monitoring services for three years, and complimentary identity theft restoration services for five years. Plaintiffs are eligible to claim around $15,000 for out-of-pocket expenditures and as much as $75 reimbursement for time used up responding the breach.

The proposed settlement is due to be approved by the Eighth Judicial District Court Judge Elizabeth Best. The final acceptance hearing is slated for January 5, 2021. When the settlement is accepted, plaintiffs will have up to February 25, 2021 to file their claims.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone