Logan Health Medical Center in Montana suffered a data breach in November 2021 . Now, the healthcare provider faces a class-action lawsuit.
After a cyberattack, covered entities deal with many costs and issues, including HIPAA violations , angry patients, and possible lawsuits.
RELATED: Patients file lawsuits in the wake of healthcare data breaches
The likelihood of these expenses is why organizations must safeguard protected health information (PHI) from both negligence and malicious intent. And why the healthcare industry must focus on proper protections like HIPAA compliant email.
Logan Health, known initially as Kalispell Regional Healthcare, discovered suspicious activity on November 22, 2021. The suspicious activity included evidence of unauthorized access into a file server with business associate information.
The unknown threat actor breached the organization's external information technology systems. PHI exposed included Social Security numbers, names, email addresses, phone numbers, and birthdates.
Logan Health notified those involved and the U.S. Office for Civil Rights (OCR) on February 22. OCR added the breach to its Breach Notification Portal as a network server hacking/IT incident affecting 213,543 individuals.
There is no indication of misused PHI, but Logan Health offered credit and identity protection to affected individuals. Logan Health also stated that it would strengthen its cybersecurity with additional safeguards.
A class-action lawsuit was filed by an affected patient of Logan Health, alleging neglect and invasion of privacy. Moreover, the plaintiff states that the 12 months of identity protection offered are insufficient.
Unfortunately, this isn't Logan Health's first breach or lawsuit. In October 2019, the organization (as Kalispell Regional) reported that a phishing email affected 140,209 individuals. A class-action lawsuit followed quickly behind the notification.
The plaintiffs argued that Kalispell Regional did not abide by best practices and industry standards, especially after Logan Health stated that it would take steps to revise its cybersecurity system in its breach notification letter.
In late 2020, the healthcare organization agreed to a $4.2 million settlement. And somehow, after this, Logan Health became a breach victim yet again. Something that the plaintiff of the new lawsuit discusses.
If Logan Health added safeguards after 2019, there would not be a 2021 breach. Therefore, impacted patients suffered from PHI exposure and everything that comes with it, including out-of-pocket expenses.
Lawsuits against healthcare organizations have become more frequent. And healthcare providers are not insulated from paying millions of dollars in damages after already costly cyberattacks.
SEE ALSO: Even nonprofit healthcare providers risk HIPAA fines – Metro pays $25K for data breach
We've written about several lawsuits over the past two years, including one of the most recent against Sea Mar Community Health Centers.
At the same time, it is helpful to note that not all lawsuits settle in favor of a plaintiff. A judge dismissed a lawsuit against Brandywine Urology in February 2021. And in June 2021, the Supreme Court ruled that data breach victims must demonstrate actual injury and losses.
We see some healthcare organizations successfully stop lawsuits (e.g., UF Health Central Florida ) while others settle (e.g., Anthem ). The Logan Health plaintiff contends that the healthcare provider violated the Montana Consumer Protection Act by engaging in "unfair or deceptive acts or practices." Whether or not this and the above demonstrates concrete damages is unknown at this time.
Data breach lawsuits typically claim that breaches happen because of inadequate cybersecurity measures. To avoid this, healthcare organizations must take steps to ensure cyber-protected systems. Unfortunately, Logan Health faces the headache of another lawsuit, something it could have avoided with proper safeguards in place.
In addition, employees must be better trained to avoid falling for phishing schemes.
RELATED: How to ensure your employees aren't a threat to HIPAA compliance
But training is not enough, as human error is inevitable. A cybersecurity program must incorporate layers of protection. It should include a variety of access controls (like strong password management ) and data encryption.
Offline backup and segmentation keep sensitive information secure at all times, along with endpoint security. And finally, strong email security (i.e., HIPAA compliant email) fortifies the most accessed threat vector from cyberattacks.
Good email security, such as Paubox Email Suite Plus, protects inbound and outbound email at all times. This means that PHI, whether sent or received, remains safeguarded. First, our HITRUST CSF certified solution encrypts all outbound email, which can be sent from existing email platforms (e.g., Microsoft 365 and Google Workspace ). As a result, there is no need for extra passwords, portals , or logins to communicate through email safely.
SEE ALSO: How to get employees to use encrypted email
Second, our Zero Trust Email feature keeps malware and phishing emails from even being delivered to an inbox. In other words, the opportunity to fall for a malicious scheme is marginal.
As part of its 2020 settlement, Logan Health agreed to update its information security system. But somehow, the 2021 breach still occurred, indicating the covered entity did not make suitable changes. Other healthcare providers should learn from Logan Health's mistakes by ensuring that they always use strong protections, such as HIPAA compliant email.