Logan Health Medical Center in Montana, originally known as Kalispell Regional Healthcare, recently suffered another breach. The organization called itself “a victim of a highly sophisticated criminal attack.”
RELATED: What is a data breach?
This breach follows a 2019 cyberattack on the health center. And it follows a sharp increase in attacks on healthcare organizations in general.
Proper protections (e.g., HIPAA compliant email) should have been employed before and after the earlier breach to block subsequent cyberattacks. Given HIPAA legislation, healthcare covered entities must always safeguard protected health information (PHI) from negligence and malicious intent.
Logan Health discovered suspicious activity on November 22, 2021 and launched an immediate investigation. The suspicious activity included evidence of unauthorized access into a file server with business associate information.
The unknown threat actor breached the organization’s external information technology systems. The investigation concluded on January 5, 2022, with Logan Health determining that the breach initially occurred on November 18.
And that there was access to files that contained PHI, though not electronic medical records, such as:
|Name||Address||Medical record number||Birthdate|
|Telephone number||Email address||Insurance claim information||Dates of service|
|Treating/referring physician||Medical bill account number||Health insurance information|
The Office of the Maine Attorney General, which received breach notification, added to the list Social Security numbers. Those affected included patients, employees, and business associates.
Logan Health notified the U.S. Office for Civil Rights (OCR) on February 22. OCR added the breach to its Breach Notification Portal as a network server hacking/IT incident affecting 213,543 individuals.
There is no indication of misused PHI, but Logan Health offered those affected credit/identity protection. Furthermore, the organization “deployed additional safeguards to further fortify [its] information systems.”
Not the first time for Logan Health
Unfortunately, this isn’t the first breach for Logan Health. The organization notified the Montana Attorney General’s Office of a smaller breach in January 2021. And in October 2019, the organization (as Kalispell Regional) reported a phishing email incident that affected 140,209 individuals.
An attack that Kalispell Regional also called “highly sophisticated.”
According to the breach notice, employees provided login credentials to a hacker in a phishing attack. The organization learned about the breach on August 28, 2019; cybercriminals may have had access as early as May 24.
The cyberattack disclosed PHI that was similar to the 2021 attack. Furthermore, Kalispell Regional used similar language about preventing future problems and breaches. Its 2019 notification also focused on:
- Additional safeguards
- Offering fraud/identity consultation and monitoring
In late 2020, the hospital agreed to a $4.2 million settlement for a class-action lawsuit. The plaintiffs argued that Kalispell Regional did not abide by best practices and industry standards.
How could this happen to Logan Health again?
Within its 2022 notification, Logan Health mentioned the significant increase in cybercriminal activity over the past 18 months. But the big question is how this could happen to the same organization once more? Identity Theft Resource Center COO, James E. Lee, says that there is a one in three chance that a victim is a repeat target.
SEE ALSO: Billings Clinic suffers HIPAA email breach – again!
It only makes sense for a cybercriminal to try yet again when they find a vulnerable organization. Or for another hacker to attack knowing there is a weak cybersecurity system or vulnerabilities.
As part of the 2020 class-action lawsuit settlement, Logan Health agreed to implement and pay for business practice commitments relating to information security for three years.
There is no news on how the 2021 breach occurred but obviously, Logan Health did not successfully safeguard its endpoints.
How to ensure a breach does not occur
After a HIPAA violation, OCR typically investigates and provides technical assistance. This may have happened after the 2019 breach, but Regulatory attorney Paul Hales states that “when an organization violates HIPAA shortly after receiving technical assistance, OCR has been inclined to require a settlement payment and corrective action plan [CAP] . . .”
RELATED: How to avoid a HIPAA corrective action plan
At this time, there is no information on an investigation or CAP related to the 2021 breach.
Nevertheless, all healthcare organizations must take steps to ensure their systems are cyber protected. For example, Logan Health plans to provide better training for its employees.
RELATED: How to ensure your employees aren’t a threat to HIPAA compliance
But obviously, training is not enough on its own. Human error is unfortunately inevitable, which is why a layered cybersecurity program is important. Security measures should include:
- Access controls
- Offline backups
- Data encryption
- Endpoint security
- Monitoring/responding procedures
And of course, email security.
The need for email security—Paubox Suite Plus
Good email security protects inbound and outbound email at all times. Paubox Email Suite Plus does exactly this, giving healthcare organizations needed HIPAA compliant email to always safeguard PHI.
Our HITRUST CSF certified solution encrypts all outbound email, which can be sent directly from an existing email platform such as Microsoft 365 and Google Workspace. Employees won’t need extra passwords, portals, or logins, making email communication easy and seamless.
SEE ALSO: How to get employees to use encrypted email
Furthermore, our Zero Trust Email feature keeps malware and phishing emails from even being delivered to an inbox.
While a breach seems unavoidable, using such strong cybersecurity features as HIPAA compliant email should keep cyberattackers far away. Logan Health’s 2019 breach could have been circumvented with such a solution as Paubox Email Suite Plus while the 2021 breach should not have happened at all.