Beginning today, Kalispell Regional Healthcare is mailing out letters to nearly 130,000 patients whose personal information may have been involved in a data breach over the summer.
Patients’ personal information may have included their name, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, date of service, treating and referring physician, medical bill account number and/or health insurance information. KRH says a small number of patients, 250 or fewer, may have had their Social Security numbers accessed.
“Although there is no indication that the information was misused, we are offering you 12 months of credit and identity monitoring services at no charge as an extra precaution,” KRH Chief Executive Officer and President Craig Lambrecht said in the letter to patients. “In addition, we have taken further steps to revise procedures that will minimize the risk of a similar event from happening again.”
The letter provides information about how to enroll in the monitoring services. The hospital is also working with a call center to provide a designated help line at 1-877-514-0850 from 7 a.m. to 4:30 p.m. MST Monday through Friday. Patients are asked to have their membership number ready.
The hospital discovered in June that multiple employees had unknowingly provided their KRH email login credentials to “unauthorized malicious criminals by way of a phishing scam.” Lambrecht called the cyber attack “highly sophisticated,” and said upon learning of the scam the hospital immediately disabled the employees’ accounts, notified federal law enforcement and launched an investigation performed by Kroll, a nationally recognized digital forensics firm out of New York.
The investigation revealed on Aug. 28 that some patients’ information may have been accessed without authorization as early as May 24. The hospital didn’t learn of the full extent and exact number of patients until recently, at which point it prepared to notify all patients potentially impacted by the breach.
Of the roughly 129,000 patients identified, 90 percent are Montana residents, while the remaining 10 percent reside in other states or countries.
“We are committed to protecting the privacy of our patients and have taken steps to prevent similar events from occurring in the future,” Lambrecht said. “In addition, we will work with the authorities to hold the perpetrators accountable for this attack against your privacy.”
“Our relationship with our patients is our most valued asset,” he continued. “I want to personally express my deepest regret for any inconvenience that these criminal actions may cause you and your family.”
In an interview on Oct. 22, Director of IT Melanie Swenson noted that KRH conducts an annual threat assessment to its IT systems through a third party. The most recent audit was conducted in the fall of 2018 by CynergisTek, which KRH calls a top-ranked cybersecurity consulting firm. It identified KRH in the 98th percentile for cyber-security compliance, placing it in the top 9 percent of all health care organizations nationwide.
KRH says its information technology systems block nearly 40,000 web-traffic intrusions and 50,000 incoming email threats each day.
Hospital officials note that in the last 90 days alone, 23 hospitals and health care systems in 19 states have reported data breaches affecting 500 or more individuals. In 2018, there were 351 data breaches of 500 or more health care records documented by the U.S. Department of Health and Human Services’ Office for Civil Rights, the largest affecting more than 2.5 million people.
KRH also provided a report showing 16 data-security incidents in Montana reported to the Office for Civil Rights since 2011, the largest of which occurred at the Montana Department of Public Health and Human Services and affected more than 1 million individuals’ demographic, clinical and/or financial information.
Billings Clinic and Bozeman Deaconess Hospital are among other Montana health care institutions to have been victims of data-security breaches, according to KRH. Swenson said the examples demonstrate the precarious nature of operating institutions in the modern technological landscape, particularly with increasingly sophisticated cyber-criminals.
She added that even with KRH’s high data-security ratings, each year the hospital seeks to bolster its security, but by virtue of basic day-to-day operations and “allowing the employees to do their job, there’s always a little window of vulnerability.”
Cindy Morrison, chief transformation officer for KRH, said it’s a reality of the “world we live in.”
“It’s not a matter of if, but when,” she said.