The Kalispell Regional Healthcare system in Kalispell, Montana has agreed to a $4.2 million settlement after a data breach that affected 130,000 patients.
In May 2019, hackers deployed a successful email phishing attack that targeted KRH employees who supplied them with the credentials needed to access sensitive information, including:
- Social security numbers
- Medical record numbers
- Insurance information
- Provider names
- Dates of services
- Contact information
- Medical history
As a result of the hack and its subsequent publicity, several patients filed lawsuits that claimed KRH had failed to adequately train employees on how to properly discern phishing scams and secure protected health information (PHI).
This was, however, disputed by KRH CEO Craig Lambert who noted that a cybersecurity firm had named KRH in the ”top quartile for data security readiness.”
Although KRH may refute the claims of a poor security protocol, the Montana Uniform Healthcare Information Act allows victims of data breaches to sue healthcare providers for violations stemming from an attack.
The KRH settlement includes $4,200,000 for out-of-pocket losses for patients in addition to Experian services, including:
- Three years of credit monitoring
- Five years of identity theft restoration services
The bottom line
Regardless of whether or not KRH actively ignored cybersecurity protocols, its efforts were just not good enough to withstand an email phishing scam.
Once these scams have been discovered and reported, there are many regulatory bodies, not only at the state level, but also at the national level (HHS and OCR) that are waiting to hit organizations with substantial fines. Kalispell Regional Healthcare certainly isn’t the first and it won’t be the last to face the wrath.
Prevent phishing attacks by working with Paubox
The more sophisticated the attack, the more likely employees are to hand over important security information that can endanger PHI. You will need to up your security by investing in a HITRUST CSF certified HIPAA compliant email solution.
Paubox Email Suite Plus effectively mitigates phishing risks through:
- Spam, virus, and phishing protection that stops threats before they reach your inbox
- ExecProtect: Our patented feature blocks display name spoofing emails that impersonate an executive before they reach the inbox
Learning from others
One of the most interesting takeaways here is that KRH was rated in the top quartile of all medical organizations for cybersecurity compliance by a cybersecurity auditing firm. This points to a severe gap between the protection healthcare organizations have and the capabilities of potential hackers.
In order to bridge this gap, it is important to implement a robust security plan that not only trains employees effectively but also utilizes HIPAA compliant email software that prevents phishing attacks from reaching the inbox in the first place.