The Kalispell Regional Healthcare system in Kalispell, Montana has agreed to a $4.2 million settlement after a data breach that affected 130,000 patients.
What happened?
In May 2019, hackers deployed a successful email phishing attack that targeted KRH employees who supplied them with the credentials needed to access sensitive information, including:
Social security numbers
Medical record numbers
Insurance information
Provider names
Dates of services
Contact information
Birthdays
Medical history
The aftermath
As a result of the hack and its subsequent publicity, several patients filed lawsuits that claimed KRH had failed to adequately train employees on how to properly discern phishing scams and secure protected health information (PHI).SEE ALSO: Why Investing in Ongoing Cybersecurity Training is Good BusinessThis was, however, disputed by KRH CEO Craig Lambert who noted that a cybersecurity firm had named KRH in the ”top quartile for data security readiness. ” Although KRH may refute the claims of a poor security protocol, the Montana Uniform Healthcare Information Act allows victims of data breaches to sue healthcare providers for violations stemming from an attack. The KRH settlement includes $4,200,000 for out-of-pocket losses for patients in addition to Experian services, including:
Three years of credit monitoring
Five years of identity theft restoration services
The bottom line
Regardless of whether or not KRH actively ignored cybersecurity protocols, its efforts were just not good enough to withstand an email phishing scam. Once these scams have been discovered and reported, there are many regulatory bodies, not only at the state level, but also at the national level (HHS and OCR) that are waiting to hit organizations with substantial fines. Kalispell Regional Healthcare certainly isn’t the first and it won’t be the last to face the wrath. SEE ALSO: Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance With HIPAA Rules
Prevent phishing attacks by working with Paubox
The more sophisticated the attack, the more likely employees are to hand over important security information that can endanger PHI. You will need to up your security by investing in a HITRUST CSF certifiedHIPAA compliant email solution. Paubox Email Suite Plus effectively mitigates phishing risks through:
Spam, virus, and phishing protection that stops threats before they reach your inbox
One of the most interesting takeaways here is that KRH was rated in the top quartile of all medical organizations for cybersecurity compliance by a cybersecurity auditing firm. This points to a severe gap between the protection healthcare organizations have and the capabilities of potential hackers. In order to bridge this gap, it is important to implement a robust security plan that not only trains employees effectively but also utilizes HIPAA compliant email software that prevents phishing attacks from reaching the inbox in the first place.