Logan Health Medical Center: a data breach and now a lawsuit

Featured image

Share this article

Logan Health logo

Logan Health Medical Center in Montana suffered a data breach in November 2021. Now, the healthcare provider faces a class-action lawsuit.

After a cyberattack, covered entities deal with many costs and issues, including HIPAA violations, angry patients, and possible lawsuits.

RELATEDPatients file lawsuits in the wake of healthcare data breaches

The likelihood of these expenses is why organizations must safeguard protected health information (PHI) from both negligence and malicious intent. And why the healthcare industry must focus on proper protections like HIPAA compliant email.

What happened to Logan Health?

Logan Health, known initially as Kalispell Regional Healthcare, discovered suspicious activity on November 22, 2021. The suspicious activity included evidence of unauthorized access into a file server with business associate information.

The unknown threat actor breached the organization’s external information technology systems. PHI exposed included Social Security numbers, names, email addresses, phone numbers, and birthdates.

Logan Health notified those involved and the U.S. Office for Civil Rights (OCR) on February 22. OCR added the breach to its Breach Notification Portal as a network server hacking/IT incident affecting 213,543 individuals.

There is no indication of misused PHI, but Logan Health offered credit and identity protection to affected individuals. Logan Health also stated that it would strengthen its cybersecurity with additional safeguards.

Upcoming lawsuit

A class-action lawsuit was filed by an affected patient of Logan Health, alleging neglect and invasion of privacy. Moreover, the plaintiff states that the 12 months of identity protection offered are insufficient.

Unfortunately, this isn’t Logan Health’s first breach or lawsuit. In October 2019, the organization (as Kalispell Regional) reported that a phishing email affected 140,209 individuals. A class-action lawsuit followed quickly behind the notification.

The plaintiffs argued that Kalispell Regional did not abide by best practices and industry standards, especially after Logan Health stated that it would take steps to revise its cybersecurity system in its breach notification letter.

In late 2020, the healthcare organization agreed to a $4.2 million settlement. And somehow, after this, Logan Health became a breach victim yet again. Something that the plaintiff of the new lawsuit discusses.

If Logan Health added safeguards after 2019, there would not be a 2021 breach. Therefore, impacted patients suffered from PHI exposure and everything that comes with it, including out-of-pocket expenses.

Lawsuits against healthcare organizations

Lawsuits against healthcare organizations have become more frequent. And healthcare providers are not insulated from paying millions of dollars in damages after already costly cyberattacks.

SEE ALSOEven nonprofit healthcare providers risk HIPAA fines – Metro pays $25K for data breach

We’ve written about several lawsuits over the past two years, including one of the most recent against Sea Mar Community Health Centers. At the same time, it is helpful to note that not all lawsuits settle in favor of a plaintiff.

A judge dismissed a lawsuit against Brandywine Urology in February 2021. And in June 2021, the Supreme Court ruled that data breach victims must demonstrate actual injury and losses.

We see some healthcare organizations successfully stop lawsuits (e.g., UF Health Central Florida) while others settle (e.g., Anthem).

The Logan Health plaintiff contends that the healthcare provider violated the Montana Consumer Protection Act by engaging in “unfair or deceptive acts or practices.” Whether or not this and the above demonstrates concrete damages is unknown at this time.

Avoid it all with strong cybersecurity

Data breach lawsuits typically claim that breaches happen because of inadequate cybersecurity measures. To avoid this, healthcare organizations must take steps to ensure cyber-protected systems.

Unfortunately, Logan Health faces the headache of another lawsuit, something it could have avoided with proper safeguards in place. In addition, employees must be better trained to avoid falling for phishing schemes.

RELATEDHow to ensure your employees aren’t a threat to HIPAA compliance

But training is not enough, as human error is inevitable. A cybersecurity program must incorporate layers of protection.

It should include a variety of access controls (like strong password management) and data encryption. Offline backup and segmentation keep sensitive information secure at all times, along with endpoint security.

And finally, strong email security (i.e., HIPAA compliant email) fortifies the most accessed threat vector from cyberattacks.

Solid email security: Paubox Email Suite Plus

Good email security, such as Paubox Email Suite Plus, protects inbound and outbound email at all times. This means that PHI, whether sent or received, remains safeguarded.

First, our HITRUST CSF certified solution encrypts all outbound email, which can be sent from existing email platforms (e.g., Microsoft 365 and Google Workspace). As a result, there is no need for extra passwords, portals, or logins to communicate through email safely.

SEE ALSOHow to get employees to use encrypted email

Second, our Zero Trust Email feature keeps malware and phishing emails from even being delivered to an inbox. In other words, the opportunity to fall for a malicious scheme is marginal.

As part of its 2020 settlement, Logan Health agreed to update its information security system. But somehow, the 2021 breach still occurred, indicating the covered entity did not make suitable changes.

Other healthcare providers should learn from Logan Health’s mistakes by ensuring that they always use strong protections, such as HIPAA compliant email.

Try Paubox Email Suite Plus for FREE today.
Author Photo

About the author

Kapua Iao

Read more by Kapua Iao

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022