Kalispell Regional sued over data breach
The main entrance to Kalispell Regional Medical Center. (Matt Baldwin/Daily Inter Lake)
A Cascade County resident has sued Kalispell Regional Healthcare on behalf of the 130,000 patients whose personal information was potentially exposed by a May data breach.
William Henderson filed the complaint in Cascade County District Court on Nov. 19. He is represented by Billings attorneys John Heenan and Joseph Cook.
Henderson is demanding a jury trial and “seeks to certify a class of persons whose personally identifiable information and/or protected health information was compromised as a result of the data breach announced by KRH in October 2019.”
The data breach at Kalispell Regional happened in May after hackers used fraudulent emails to bait employees into providing login credentials. The hospital did not report the attack until an outside forensic firm concluded its investigation.
Kalispell Regional sent notification letters to affected patients in late October. The letters told patients what types of their personal information might have been taken and provided steps to protect that information.
According to Heenan, Henderson hopes “to get a meaningful recovery for everyone” who was a victim of the data breach. He said the Montana Legislature has passed certain laws and statutes to protect people’s information from being disclosed by health-care providers.
“We have an expectation of privacy” and there should be “consequences when that expectation is violated,” Heenan said.
The complaint alleges “the data breach occurred only because KRH failed to implement adequate and reasonable training of employees, and procedures, and protocols with would have prevented the data breach, or at least detected the breach much earlier.”
It adds that Kalispell Regional employees should have been made more aware of the threat of common phishing scams and claims “KRH failed to ensure that its employees were adequately trained on even the most basic of cybersecurity protocols.”
“KRH had the resources necessary to prevent a breach, but neglected to adequately invest in data security,” the complaint adds.
The complaint states Kalispell Regional “put Plaintiff and members of the Class at serious, immediate and ongoing risk for identity theft and fraud,” and alleges the hospital did not “clearly, conspicuously, and timely inform Plaintiff and the other Class members of the nature and extent of the data breach.”
The complaint alleges the Plaintiff and class members can pursue the claim under the Uniform Health Care Information statute due to the unauthorized disclosure of health-care information and other private information. It also cites the Health Insurance Portability and Accountability Act, commonly known as HIPPA, which “codifies the right of patients to keep their personal information private.”
“KRH owes a common law duty to its patients to keep their personal information private and out of the hands of hackers,” the complaint states.
The complaints cites Montana Code 50-16-553 in the Plaintiff’s pursuit of “civil remedies” for himself and the class. It states that those “aggrieved by a violation” regarding their health-care information “may maintain an action for relief.”
It continues, “If the court determines that there is a violation of this part, the aggrieved person is entitled to recover damages for pecuniary losses sustained as a result of the violation and, in addition, if the violation results from willful or grossly negligent conduct, the aggrieved person may recover not in excess of $5,000, exclusive of any pecuniary loss.”
Mellody Sharpton, spokeswoman for Kalispell Regional Healthcare, released the following statement:
“KRH recently became aware of a lawsuit related to the data security event announced in October. Since we have not been served with the complaint, we have not had the opportunity to thoroughly review it and are not prepared to comment on its allegations. KRH is, however, disappointed about the lawsuit. We value our relationships with our patients and take safeguarding their privacy very seriously.”
Reporter Colin Gaiser may be reached at 758-4439 or cgaiser@dailyinterlake.com.