The likelihood of these expenses is why organizations must safeguard protected health information (PHI) from both negligence and malicious intent. And why the healthcare industry must focus on proper protections like HIPAA compliant email.
What happened to Logan Health?
Logan Health, known initially as Kalispell Regional Healthcare, discovered suspicious activity on November 22, 2021. The suspicious activity included evidence of unauthorized access into a file server with business associate information.
Logan Health notified those involved and the U.S. Office for Civil Rights (OCR) on February 22. OCR added the breach to its Breach Notification Portal as a network server hacking/IT incident affecting 213,543 individuals.
There is no indication of misused PHI, but Logan Health offered credit and identity protection to affected individuals. Logan Health also stated that it would strengthen its cybersecurity with additional safeguards.
A class-action lawsuit was filed by an affected patient of Logan Health, alleging neglect and invasion of privacy. Moreover, the plaintiff states that the 12 months of identity protection offered are insufficient.
Unfortunately, this isn’t Logan Health’s first breach or lawsuit. In October 2019, the organization (as Kalispell Regional) reported that a phishing email affected 140,209 individuals. A class-action lawsuit followed quickly behind the notification.
The plaintiffs argued that Kalispell Regional did not abide by best practices and industry standards, especially after Logan Health stated that it would take steps to revise its cybersecurity system in its breach notification letter.
In late 2020, the healthcare organization agreed to a $4.2 million settlement. And somehow, after this, Logan Health became a breach victim yet again. Something that the plaintiff of the new lawsuit discusses.
If Logan Health added safeguards after 2019, there would not be a 2021 breach. Therefore, impacted patients suffered from PHI exposure and everything that comes with it, including out-of-pocket expenses.
Lawsuits against healthcare organizations
Lawsuits against healthcare organizations have become more frequent. And healthcare providers are not insulated from paying millions of dollars in damages after already costly cyberattacks.
We’ve written about several lawsuits over the past two years, including one of the most recent against Sea Mar Community Health Centers. At the same time, it is helpful to note that not all lawsuits settle in favor of a plaintiff.
The Logan Health plaintiff contends that the healthcare provider violated the Montana Consumer Protection Act by engaging in “unfair or deceptive acts or practices.” Whether or not this and the above demonstrates concrete damages is unknown at this time.
Avoid it all with strong cybersecurity
Data breach lawsuits typically claim that breaches happen because of inadequate cybersecurity measures. To avoid this, healthcare organizations must take steps to ensure cyber-protected systems.
Unfortunately, Logan Health faces the headache of another lawsuit, something it could have avoided with proper safeguards in place. In addition, employees must be better trained to avoid falling for phishing schemes.
It should include a variety of access controls (like strong password management) and data encryption. Offline backup and segmentation keep sensitive information secure at all times, along with endpoint security.
Solid email security: Paubox Email Suite Plus
Good email security, such as Paubox Email Suite Plus, protects inbound and outbound email at all times. This means that PHI, whether sent or received, remains safeguarded.
First, our HITRUST CSF certified solution encrypts all outbound email, which can be sent from existing email platforms (e.g., Microsoft 365 and Google Workspace). As a result, there is no need for extra passwords, portals, or logins to communicate through email safely.
As part of its 2020 settlement, Logan Health agreed to update its information security system. But somehow, the 2021 breach still occurred, indicating the covered entity did not make suitable changes.
Other healthcare providers should learn from Logan Health’s mistakes by ensuring that they always use strong protections, such as HIPAA compliant email.