2 min read

KRH agrees to 4.2 million dollar settlement after data breach

Rikin Shah December 31, 2020

Healthcare cybersecurity news

The Kalispell Regional Healthcare system in Kalispell, Montana has agreed to a $4.2 million settlement after a data breach that affected 130,000 patients.

What happened?

In May 2019, hackers deployed a successful email phishing attack that targeted KRH employees who supplied them with the credentials needed to access sensitive information, including:

Social security numbers
Medical record numbers
Insurance information
Provider names
Dates of services
Contact information
Birthdays
Medical history

The aftermath

As a result of the hack and its subsequent publicity, several patients filed lawsuits that claimed KRH had failed to adequately train employees on how to properly discern phishing scams and secure protected health information (PHI) . SEE ALSO: Why Investing in Ongoing Cybersecurity Training is Good Business This was, however, disputed by KRH CEO Craig Lambert who noted that a cybersecurity firm had named KRH in the ” top quartile for data security readiness. ” Although KRH may refute the claims of a poor security protocol, the Montana Uniform Healthcare Information Act allows victims of data breaches to sue healthcare providers for violations stemming from an attack. The KRH settlement includes $4,200,000 for out-of-pocket losses for patients in addition to Experian services, including:

Three years of credit monitoring
Five years of identity theft restoration services

The bottom line

Regardless of whether or not KRH actively ignored cybersecurity protocols, its efforts were just not good enough to withstand an email phishing scam. Once these scams have been discovered and reported, there are many regulatory bodies, not only at the state level, but also at the national level ( HHS and OCR ) that are waiting to hit organizations with substantial fines. Kalispell Regional Healthcare certainly isn’t the first and it won’t be the last to face the wrath. SEE ALSO: Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance With HIPAA Rules

Prevent phishing attacks by working with Paubox

The more sophisticated the attack, the more likely employees are to hand over important security information that can endanger PHI. You will need to up your security by investing in a HITRUST CSF certified HIPAA compliant email solution. Paubox Email Suite Plus effectively mitigates phishing risks through:

Spam, virus, and phishing protection that stops threats before they reach your inbox
ExecProtect: Our patented feature blocks display name spoofing emails that impersonate an executive before they reach the inbox

Learning from others

One of the most interesting takeaways here is that KRH was rated in the top quartile of all medical organizations for cybersecurity compliance by a cybersecurity auditing firm. This points to a severe gap between the protection healthcare organizations have and the capabilities of potential hackers. In order to bridge this gap, it is important to implement a robust security plan that not only trains employees effectively but also utilizes HIPAA compliant email software that prevents phishing attacks from reaching the inbox in the first place.

Try Paubox Email Suite Plus for FREE today.

Start for free

Another day, another breach: Logan Health Medical Center

Kapua Iao : March 15, 2022

Logan Health Medical Center in Montana, originally known as Kalispell Regional Healthcare, recently suffered another breach. The organization called...

Healthcare cybersecurity news