Logan Health Medical Center has reached a $4.3 million settlement with 213,543 patients and employees whose personal and protected health information may have been accessed during the November 22, 2021 cyberattack.
This is the second violation-related lawsuit settled by the Montana provider in less than three years. Before changing its name from Kalispell Regional Healthcare in May 2021, the health system reported an undetected phishing attack in 2019 that resulted in a months-long data breach of 130,000 patients.
The incident exposed Social Security numbers, dates of birth, contact information, medical histories, insurance data, medical record numbers, insurance details, provider names, and other sensitive data.
Following the incident, the hospital was sued by patients, resulting in a $4.2 million settlement in December 2020. If the latest proposal is approved, Logan Health will pay an $8.5 million liquidated settlement in less than three years.
The latest settlement stems from several lawsuits filed in April 2022 that were later combined into a single class action. Victims of the breach allege that a 2021 server hack and subsequent breach of patient data resulted from Logan Health’s failure to implement adequate security measures.
In this incident, attackers gained access to one of eight file servers and accessed patient and employee health information. The data exposed varied from person to person and included names, social security numbers, dates of birth, contact information and email addresses.
The lawsuit addresses Logan Health’s previous safety incidents and lawsuit settlements, noting that the health system has “alleged that it is taking ‘further steps to revise procedures to minimize the risk of similar incidents recurring.'”
Breach Victims further allege that the 2021 incident was a direct result of Provider’s failure to comply with representations expressed in past breach notices. In particular, Logan Health is accused of failing to properly train employees and/or implement procedures or protocols that would have prevented a second security incident.
“Especially because Logan Health has demonstrated its inability to prevent the breach or prevent the breach from continuing even after it was discovered, [individuals] There is an undeniable interest in ensuring that their PII/PHI is secure, remains secure, and is protected from further theft,” according to the lawsuit.
As a result, the filing claims that the provider’s one-year identity theft protection is “grossly inadequate.”
The alleged injuries outlined in the lawsuit include references outlining the cost of medical identity theft recovery, averaging as much as $19,000 and more than 200 hours to resolve the issue. However, the lawsuit does not detail whether data breach victims actually experienced these worst-case scenarios as a direct result of the 2021 data breach.
The proposed settlement appears to take these concerns into account and requires Logan Health to share details of actions it has taken or its plans to enhance cybersecurity training and awareness programs, data policies, security measures and data restrictions, as well as its monitoring and response capabilities .
Individuals affected by the 2021 incident may also file a claim for up to $25,000 in out-of-pocket expenses directly related to the violation and up to $125 in documented instances of lost incident response time. The settlement also includes alternative cash payments and free credit monitoring for affected individuals.
Logan Health also agreed to pay “attorney fees not to exceed one-third” and “reimbursement of litigation costs and expenses not to exceed $150,000,” according to the settlement proposal.
The proposal is subject to final approval, which is scheduled for March 9.
Current Healthcare Data Breach Litigation Trends
Logan Health joins a growing list of provider organizations set to be hit by patient-led lawsuits after reporting a safety incident. Like Logan Health, the vast majority of those cases have been settled to limit protracted litigation.
As SC Media reported in May 2022, healthcare data breach lawsuits have become the modern-day equivalent of ambulance chases. In the days after an incident is reported, the law firm will set up a website to advertise an “investigation” into the reported incident and seek victims of the breach to join a possible class action.
BakerHostetler confirmed that data breach lawsuits brought against hospitals in this way have rapidly increased over the past few years, even after the Supreme Court ruled that victims must provide evidence of specific harm in order to pursue cases. In many of these documents, this evidence is missing.
The trend is likely to continue into next year, with healthcare data breach lawsuits already piling up.
CommonSpirit Health has just been hit with another breach lawsuit following last year’s massive outage and data breach. The lawsuit joins four documents released last month against Maternal and Child Health Services, Shields Health Care Group, Retreat Behavioral Health and Connexin Software following their own security incidents and breaches of patient data.
