Another day, another breach: Logan Health Medical Center

Logan Health Medical Center in Montana, originally known as Kalispell Regional Healthcare, recently suffered another breach. The organization called itself "a victim of a highly sophisticated criminal attack.”

RELATED: What is a data breach?

This breach follows a 2019 cyberattack on the health center. And it follows a sharp increase in attacks on healthcare organizations in general. Proper protections (e.g., HIPAA compliant email) should have been employed before and after the earlier breach to block subsequent cyberattacks.

Given HIPAA legislation, healthcare  covered entities must always safeguard  protected health information (PHI) from negligence and malicious intent.

What happened?

Logan Health discovered suspicious activity on November 22, 2021 and launched an immediate investigation. The suspicious activity included evidence of unauthorized access into a file server with business associate information.

The unknown threat actor breached the organization’s external information technology systems. The investigation concluded on January 5, 2022, with Logan Health determining that the breach initially occurred on November 18. And that there was access to files that contained PHI, though not electronic medical records, such as:

The Office of the Maine Attorney General, which received breach notification, added to the list Social Security numbers. Those affected included patients, employees, and business associates. Logan Health notified the U.S. Office for Civil Rights (OCR) on February 22. OCR added the breach to its Breach Notification Portal as a network server hacking/IT incident affecting 213,543 individuals.

There is no indication of misused PHI, but Logan Health offered those affected credit/identity protection. Furthermore, the organization “deployed additional safeguards to further fortify [its] information systems.”

Not the first time for Logan Health

Unfortunately, this isn’t the first breach for Logan Health. The organization notified the Montana Attorney General’s Office of a smaller breach in January 2021. And in October 2019, the organization (as Kalispell Regional) reported a phishing email incident that affected 140,209 individuals.

An attack that Kalispell Regional also called “highly sophisticated.”

According to the breach notice, employees provided login credentials to a hacker in a phishing attack. The organization learned about the breach on August 28, 2019; cybercriminals may have had access as early as May 24. The cyberattack disclosed PHI that was similar to the 2021 attack.

Furthermore, Kalispell Regional used similar language about preventing future problems and breaches. Its 2019 notification also focused on:

• Additional safeguards
• Offering fraud/identity consultation and monitoring

In late 2020, the hospital agreed to a $4.2 million settlement for a class-action lawsuit. The plaintiffs argued that Kalispell Regional did not abide by best practices and industry standards.

How could this happen to Logan Health again?

Within its 2022 notification, Logan Health mentioned the significant increase in cybercriminal activity over the past 18 months. But the big question is how this could happen to the same organization once more? Identity Theft Resource Center COO, James E. Lee, says that there is a one in three chance that a victim is a repeat target.

SEE ALSO: Billings Clinic suffers HIPAA email breach – again!

It only makes sense for a cybercriminal to try yet again when they find a vulnerable organization. Or for another hacker to attack knowing there is a weak cybersecurity system or vulnerabilities. As part of the 2020 class-action lawsuit settlement, Logan Health agreed to implement and pay for business practice commitments relating to information security for three years.

There is no news on how the 2021 breach occurred but obviously, Logan Health did not successfully safeguard its endpoints.

How to ensure a breach does not occur

After a HIPAA violation, OCR typically investigates and provides technical assistance. This may have happened after the 2019 breach, but Regulatory attorney Paul Hales states that “when an organization violates HIPAA shortly after receiving technical assistance, OCR has been inclined to require a settlement payment and corrective action plan [CAP] . . .”

RELATED: How to avoid a HIPAA corrective action plan

At this time, there is no information on an investigation or CAP related to the 2021 breach. Nevertheless, all healthcare organizations must take steps to ensure their systems are cyber protected. For example, Logan Health plans to provide better training for its employees.

RELATED:  How to ensure your employees aren’t a threat to HIPAA compliance

But obviously, training is  not enough on its own. Human error is unfortunately inevitable, which is why a layered cybersecurity program is important. Security measures should include:

• Access controls
• Segmentation
• Offline backups
• Data encryption
• Endpoint security
• Monitoring/responding procedures

And of course, email security.

The need for email security—Paubox Suite Plus

Good email security protects inbound and outbound email at all times. Paubox Email Suite Plus does exactly this, giving healthcare organizations needed HIPAA compliant email to always safeguard PHI.

Our HITRUST CSF certified solution encrypts all outbound email, which can be sent directly from an existing email platform such as Microsoft 365 and  Google Workspace. Employees won’t need extra passwords,  portals, or logins, making email communication easy and seamless.

SEE ALSO:  How to get employees to use encrypted email

Furthermore, our  Zero Trust Email feature keeps malware and phishing emails from even being delivered to an inbox. While a breach seems unavoidable, using such strong cybersecurity features as HIPAA compliant email should keep cyberattackers far away.

Logan Health’s 2019 breach could have been circumvented with such a solution as Paubox Email Suite Plus while the 2021 breach should not have happened at all.