Kalispell Regional Healthcare, northwest Montana's largest healthcare provider, was sued late last month by one of the 130,000 patients whose information was possibly compromised in a data breach announced by the hospital in October.
William Henderson, represented by Billings attorney John Heenan, filed the civil complaint in Cascade County District Court on Nov. 25. The suit alleges Kalispell Regional Healthcare failed to take the necessary steps to protect patients' private information before the breach. The complaint seeks to certify more plaintiffs into a class action lawsuit.
"This has been a way that criminals have tried to gain access to peoples' private information and specifically their private healthcare information," Heenan said in a phone interview Wednesday. "It's our contention by filing this lawsuit that they should have done a lot better by their patients in protecting that information."
Mellody Sharpton, a spokeswoman for Kalispell Regional Healthcare, said Wednesday she did not have enough information available to comment on the filing.
However, since the breach, the hospital has taken steps to help employees learn how to identify suspicious emails, according to the lawsuit. The Inter Lake reported Kalispell Regional offered all notified patients complimentary fraud consultation and identity theft restoration services.
The hospital fell victim to the cyber attack in May, when hackers used emails to lure the hospital's employees into providing login credentials, the Daily Inter Lake reported. Kalispell Regional Healthcare was not aware of the extent of the attack until an outside forensic firm completed a review for the hospital. Authorities estimate 250 patients' Social Security numbers "may have been taken" in the breach.
You have free articles remaining.
Henderson's lawsuit alleges the data breach was "caused by KRH's failure to abide by best practices and industry standards" in securing patient data. The suit also alleges Kalispell Regional Healthcare did not notify patients of the nature and extent of the information breached clearly nor in a timely manner. As a result, patients have been left exposed to identity theft, the suit states.
Henderson's claim against Kalispell Regional stands on the Montana Uniform Health Care Information Act, which states a victim of such a breach can seek damages from the health care provider if the company is found to be in violation of the act.
Heenan did not say his client had suffered any problems since the breach, but said such cases leave patients indefinitely exposed to serious identity theft.
"That's the biggest problem with these types of breaches, is when and how the damage occurs," he said. "It's not all overnight. Once your personal information, in particular your personal healthcare information, is in criminal hands, what happens from there is the scary part.
"He's certainly been monitoring his credit, waiting to see if anything's going to happen, but the reality is that could be tomorrow or next week or next year," Heenan added.
The U.S. Department of Health and Human Services' Office of Civil Rights lists the Kalispell Regional Healthcare breach as still "under investigation."