Attorney Says KRH Data Breach Part of National Trend Targeting Health Care

Phishing attack in 2019 exposed information of nearly 130,000 current and former KRH patients; hospital agrees to $4.2 million settlement fund in class-action lawsuit

By Myers Reece
Kalispell Regional Healthcare. Hunter D’Antuono | Flathead Beacon

An attorney who has worked on some of the country’s largest data-breach cases, and was a co-counsel for plaintiffs in a recent class-action lawsuit against Kalispell Regional Healthcare, said he has seen a significant spike in health-care cyber attacks driven by the black-market allure of dual medical and identification information.

“The last couple years I’ve seen an explosion in health-care deliverers, hospitals, doctor groups that have been the subject of cyber attacks and resulting data breaches because of the wealth of information they have on individuals, both personal health and personal identification information,” said John Yanchunis, a Tampa-based attorney who leads the class-action department at Morgan & Morgan, a Florida-headquartered law firm that Yanchunis says is the biggest of its kind in the country.

Yanchunis was the lead plaintiff counsel in settlement proceedings related to a series of Yahoo! data breaches from 2012-2016, including one that affected 3 billion users’ information, the largest data breach on record. He also worked on the massive Equifax data breach, which affected 147 million people, and is currently the co-lead counsel in an expansive breach case against Capital One.

Yanchunis was one of several attorneys representing plaintiffs in a class-action lawsuit against KRH, which stemmed from a 2019 data breach that exposed the personal information of nearly 130,000 current and former patients. The plaintiffs and settlement class were also represented by attorneys from Heenan & Cook in Billings and Paoli Law Firm, P.C. in Missoula.

The class-action lawsuit, filed in Eighth Judicial District Court in Great Falls in November 2019, listed William Henderson of Cascade County “and all others similarly situated” as plaintiffs. A settlement was finalized last month, in which KRH agreed to a $4.2 million settlement fund for those affected by exposure of personal information.

The breach resulted from a “phishing attack,” in which hackers used emails to lure employees into unwittingly revealing their KRH login credentials. The plaintiffs’ complaint states that phishing attacks are “among the oldest and well-known form of cyberattacks,” for which there are “several proactive and preventative measures.” But the litigation argues that KRH didn’t “abide by best practices and industry standards concerning the security of its computer systems.”

“The data breach occurred only because KRH failed to implement adequate and reasonable training of employees, and procedures, and protocols which would have prevented the data breach, or at least detected the breach much earlier,” the complaint asserts.

The complaint describes the ramifications of such exposed personal information as “long lasting and severe,” and that the “fraudulent use of that information and damage to victims may continue for years.” It states that damages include “the compromise, publication, theft and/or unauthorized use” of stolen information, as well as loss of time, money and productivity spent attempting to “mitigate the actual and future consequences,” such as researching, detecting and contesting misuse.

Those affected have been placed at an “imminent, immediate, and continuing increased risk of harm from identity theft and identity fraud, requiring them to take the time which they otherwise would have dedicated to other life demands such as work and family in an effort to mitigate the actual and potential impact … by placing ‘freezes’ and ‘alerts’ with credit reporting agencies, contacting their financial institutions, closing or modifying financial accounts, closely reviewing and monitoring their credit reports and accounts for unauthorized activity, and filing police reports.”

Noting that a breach such as the one at KRH involves both personal identifying information (PII) and protected health information (PHI), the class-action lawsuit says the information is “significantly more valuable than the mere loss of credit card information typical of recent large retailer data breaches,” including some information that is “difficult, if not impossible, to change,” such as Social Security numbers, names, addresses, dates of birth and medical records.

The complaint states that such information is “highly coveted” on the black market, as it can be used for identity theft and fraud as well as health-care fraud. KRH maintains that only about 250 people may have had their Social Security numbers accessed.

If the information is used for health-care fraud, a study by Experian found that the average total cost of medical identity theft is about $20,000 per incident, according to the lawsuit, and that a “majority of victims of medical identity theft were forced to pay out-of-pocket costs for healthcare they did not receive in order to restore coverage.”

The court-appointed administrator of the settlement is Verus LLC, which recently sent out mailers notifying class members of their right to submit claims and set up a website to do so at www.kalispelldatabreachsettlement.com. The claim submittal deadline is Feb. 25, 2021.

The agreement states that settlement class members may submit a claim up to $15,000 for reimbursement of out-of-pocket losses, while also providing claim options for attested time reimbursement and credit monitoring and identity restoration services.

Yanchunis notes that an advantage of these types of class-action lawsuit settlements is a “very low evidentiary burden to claim the benefits.”

As part of the settlement, KRH has also agreed to implement and pay for business practice commitments relating to information security for three years, including the enhancement of cybersecurity training and awareness programs, data security policies, security measures, restrictions to accessing personal information, and monitoring and response capabilities.

KRH revealed in October 2019 that the breach had occurred over the summer. The hospital notified federal law enforcement of the attack, which President and CEO Craig Lambrecht called “highly sophisticated,” and launched an investigation performed by Kroll, a digital forensics firm out of New York.

The hospital’s IT director noted at the time that KRH conducted an annual threat assessment to its IT systems through a third party, and that CynergisTek, a nationally recognized cybersecurity consulting firm, completed the most recent audit in the fall of 2018. It identified KRH in the 98th percentile for cybersecurity compliance, placing it in the top 9% of all health-care organizations nationwide, the hospital stated.

KRH said its information technology systems were blocking nearly 40,000 web-traffic intrusions and 50,000 incoming email threats each day at the time.

The hospital also provided a report showing 16 data-security incidents in Montana reported to the U.S. Department of Health and Human Services’ Office for Civil Rights since 2011, the largest of which occurred at the Montana Department of Public Health and Human Services and affected more than 1 million individuals’ information. The hospital also noted that the Office for Civil Rights documented 351 data breaches of 500 or more health-care records nationwide in 2018 alone.

In a statement responding to the class-action settlement, KRH said “settlements are common with events such as these and we will work with the court through the settlement process.”