Logan Health Medical Center has reached a $4.3 million settlement with 213,543 patients and employees whose personal and protected health information may have been accessed during the November 22, 2021 cyberattack.
This is the second infringement-related lawsuit settled by a Montana provider in less than three years. Prior to rebranding from Kalispell Regional Healthcare in May 2021, the health system reported an undetected phishing attack in 2019 that led to a one-month data compromise for 130,000 patients.
The incident exposed social security numbers, dates of birth, contact information, medical history, insurance data, medical record numbers, insurance details, provider names, and other sensitive data.
The hospital was sued by patients following that incident, which led to a $4.2 million settlement in December 2020.
The latest settlement stems from multiple lawsuits filed in April 2022 and later merged into one class action suit. Breach victims claimed that the 2021 server hack and subsequent patient data compromise resulted from Logan Health’s failure to implement adequate security measures.
During the incident, an attacker gained access to one of the eight file servers and gained access to both patient and employee health information. The data exposed varied and varied, including name, social security number, date of birth, contact information and email address.
The lawsuit targeted Logan Health’s previous safety incident and settlement of the lawsuit, noting that the health system claimed to have already taken “further steps to modify procedures that reduce the risk of a similar incident happening again.” will reduce.”
The breach victims further allege that the 2021 incident was directly caused by the provider’s failure to follow through on representations expressed in previous breach notices. Specifically, Logan Health was accused of failing to properly train employees and/or implement procedures or protocols that could have prevented a second security incident.
“Particularly because Logan Health has demonstrated an inability to prevent or prevent the violation from continuing after it was discovered, [individuals] They have an interest in ensuring that their PII/PHI is safe, secure, and cannot be further stolen,” according to the lawsuit.
As such, the filing claimed that the one-year identity theft protection offered by the provider was “grossly inadequate.”
The alleged damages cited in the lawsuit included references outlining the cost of medical identity theft recovery, which averages $19,000 and more than 200 hours to resolve the issue. However, the lawsuit does not detail whether breach victims actually experienced these worst-case scenarios as a direct result of the 2021 breach.
The proposed settlement takes these issues into account and requires Logan Health to share details on actions it has already taken or its plans to strengthen cybersecurity training and awareness programs, data policies, safeguards and data restrictions, as well as its monitoring and response capabilities.
Individuals affected by the 2021 incident may file a claim for reimbursement of up to $25,000 in out-of-pocket expenses directly related to the breach and up to $125 for documented instances of time lost responding to the incident. The settlement also includes an optional cash payment and free credit monitoring for the affected individuals.
According to the settlement offer, Logan Health also agreed to pay “attorney’s fees not to exceed one-third” and “reimbursement of litigation costs and expenses not to exceed $150,000”.
The proposal is subject to final approval, which is scheduled for March 9.
Current healthcare data breach lawsuit trends
Logan Health has joined an increasingly long list of provider organizations to be hit by a patient-led lawsuit following a reported security incident. Like Logan Health, most of these cases are settled to limit lengthy litigation.
As SC Media reported in May 2022, healthcare data breach litigation has been equated to a modern-day ambulance chase. In the days after an incident is reported, law firms will set up websites advertising “investigations” into reported incidents and seek victims to join potential class-action lawsuits.
Beckerhostetler confirmed that data breach lawsuits filed against hospitals in this way have skyrocketed over the past few years, even after the Supreme Court ruled that victims must provide evidence of concrete harm in order to pursue a case. In many of these filings, that evidence is missing.
This trend is likely to continue in the coming year, with healthcare data breach lawsuits already piling up.
CommonSpirit Health was hit with another breach lawsuit last year after a massive outage and data exfiltration incident. The lawsuit joins four filings issued last month against Maternal and Family Health Services, Shields Health Care Group, Retreat Behavioral Health, and Connexin Software following their own security incidents and patient data compromises.