Logan Health Notifies Patients of Data Breach That Affected Thousands of Montanans

The hospital has offered free credit monitoring services to those affected

By Mike Kordenbrock
Logan Health, formerly Kalispell Regional Healthcare, pictured on May 19, 2021. Hunter D’Antuono | Flathead Beacon

Logan Health Medical Center patients were recently notified that some of their information may have been accessed after a hack led to a data breach last November.

Logan Health has put up information on its website, and also sent out physical letters to those affected, with information about the incident, and is offering a year of free identity monitoring services. Some of those letters, signed by Logan Health President and CEO Dr. Craig Lambrecht, arrived in late February.

In total, the breach affected 213,543 people, including 174,761 Montanans. The breach occurred on Nov. 18, 2021, and the hospital discovered suspicious activity, including evidence of unauthorized access to a file server including shared folders for business operations, on Nov. 22.

According to Lambrecht’s letter the hospital used third-party forensics experts and quickly launched an investigation to understand “the nature and scope of the incident and whether any personal information was affected.”

By Jan. 5 an investigation had determined there was unauthorized access to certain files, which contained protected health information related to patients. The time between the discovery of the breach and the notification of those affected was a result of both the time it takes to conduct an investigation, and the time it took to determine exactly who had been affected, according to hospital spokesperson Mellody Sharpton. The breach also specifically affected Logan Health Medical Center patients, according to Sharpton.

“There was no unauthorized access to our electronic medical records,” Lambrecht said in the letter.

The letter states that different information may have been accessed for each person. That may include name, address, medical record number, date of birth, telephone number, email address, diagnosis and treatment codes, dates of service, treating/referring physician, medical bill account number and/or health insurance information, and Social Security numbers.

The most recent data breach isn’t the first time Logan has been targeted in recent years. The hospital has also previously reported a January 2021 data breach to the Montana Attorney General’s Office that affected 2,081 Montanans. In 2019, Logan Health, under its previous name of Kalispell Regional Healthcare, reported a breach to the Montana AG’s Office that affected 126,805 Montanans.

Lambrecht stated in his letter that Logan has “deployed additional safeguards to further fortify our information systems.”

The breaches are to some degree in keeping with trends identified by the nonprofit Identity Theft Resource Center. James E. Lee, the chief operating officer for the ITRC, said there’s about a one in three chance that a victim is a repeat target.

“One of the things that stands out on this particular one is just the scope of it,” Lee said. He added that some of the information he’s been able to learn about the breach is due to the more extensive reporting requirements about data breaches in the state of Maine, where four people were affected by the breach at the Logan Health Medical Center. He noted that Logan did send out physical letters, which he said is a form of notification that is less common than it used to be. In some instances businesses will just post a notice on their website, and people affected may never see it.

“The fact that they sent a letter to everybody, that’s a good thing. And the fact they are making some tools available to people.”

Lee recommended that people take Logan up on its offer of credit monitoring services, which in this case are being offered by a company called Kroll. Among the services being offered by Kroll are credit monitoring, fraud consultation, and identity theft restoration.

Lee said that people who are concerned about their potential exposure should also consider a credit freeze. A credit freeze is among the additional steps people can take that is outlined in the letters Logan sent out. Part of the rationale, according to Lee, is that credit monitoring services are generally reactive by nature, whereas a freeze could prevent theft from happening from the outset. A freeze restricts access to credit reporting, so that new lines of credit or accounts can’t be opened. A freeze is “thawed” free of charge, and Lee said the process can be done repeatedly as needed. The Federal Trade Commission says that in order to implement a credit freeze a person needs to contact each of the three credit bureaus: Equifax, Experian and TransUnion.

The advice of implementing a credit freeze doesn’t just extend to adults, Lee said.

“Children’s identities are more valuable than adults, in many respects, because when you have an adult you have a work history, you have a credit history,” Lee said. “If you’re monitoring it you can find something when it occurs, but with a child’s credit it’s completely different because they shouldn’t have a file, so what happens is the first time you learned that something happened is when they’re getting ready to go off to college, or maybe they’re applying for a job.”

He added: “Then you find out that a Social Security Number has a 15-year work history associated with it when they’re 18-years-old. Well, they haven’t been working since they were three.”

Lee said that people should also consider doing things like changing passwords. It’s especially important if someone has multiple accounts with the same password, he said, adding that the repeat use of the same password has become more common with the growth of remote work.

He also explained that criminals are often interested in attacking businesses, and not individuals. Information gleaned about individuals can be used to target a business and launch something like a ransomware attack in which criminals block access to files and systems and demand a ransom be paid.

“The general trend is they’re less interested in individual data anymore and more interested in what they can do to compromise a system so they can hold it up for ransom,” Lee said.