Paubox blog: HIPAA compliant email made easy

KRH agrees to 4.2 million dollar settlement after data breach

Written by Rikin Shah | December 31, 2021
The Kalispell Regional Healthcare system in Kalispell, Montana has agreed to a $4.2 million settlement after a data breach that affected 130,000 patients. 

What happened?

In May 2019, hackers deployed a successful email phishing attack that targeted KRH employees who supplied them with the credentials needed to access sensitive information, including:
  • Social security numbers 
  • Medical record numbers
  • Insurance information 
  • Provider names 
  • Dates of services 
  • Contact information
  • Birthdays 
  • Medical history 

 

The aftermath

As a result of the hack and its subsequent publicity, several patients filed lawsuits that claimed KRH had failed to adequately train employees on how to properly discern phishing scams and secure protected health information (PHI) . SEE ALSO: Why Investing in Ongoing Cybersecurity Training is Good Business This was, however, disputed by KRH CEO Craig Lambert who noted that a cybersecurity firm had named KRH in the top quartile for data security readiness.   Although KRH may refute the claims of a poor security protocol, the Montana Uniform Healthcare Information Act allows victims of data breaches to sue healthcare providers for violations stemming from an attack.  The KRH settlement includes $4,200,000 for out-of-pocket losses for patients in addition to Experian services, including:   
  • Three years of credit monitoring
  • Five years of identity theft restoration services

 

The bottom line

Regardless of whether or not KRH actively ignored cybersecurity protocols, its efforts were just not good enough to withstand an email phishing scam.  Once these scams have been discovered and reported, there are many regulatory bodies, not only at the state level, but also at the national level ( HHS and OCR ) that are waiting to hit organizations with substantial fines. Kalispell Regional Healthcare certainly isn’t the first and it won’t be the last to face the wrath.  SEE ALSO: Orthopedic Clinic Pays $1.5 Million to Settle Systemic Noncompliance With HIPAA Rules

 

Prevent phishing attacks by working with Paubox

The more sophisticated the attack, the more likely employees are to hand over important security information that can endanger PHI. You will need to up your security by investing in a HITRUST CSF certified HIPAA compliant email solution.  Paubox Email Suite Plus effectively mitigates phishing risks through: 

 

Learning from others

One of the most interesting takeaways here is that KRH was rated in the top quartile of all medical organizations for cybersecurity compliance by a cybersecurity auditing firm. This points to a severe gap between the protection healthcare organizations have and the capabilities of potential hackers.  In order to bridge this gap, it is important to implement a robust security plan that not only trains employees effectively but also utilizes HIPAA compliant email software that prevents phishing attacks from reaching the inbox in the first place.
 
Try Paubox Email Suite Plus for FREE today.