An American healthcare provider is proposing to resolve a lawsuit filed on behalf of victims of a 2019 data breach with a $4.2m settlement.
Kalispell Regional Healthcare, based in Montana, announced in October last year that a data breach had occurred. Approximately 130,000 patients had their personal health information (PHI) exposed as a result of a cyber-attack.
Criminals used what Kalispell chief executive officer and president Craig Lambrecht described as a “sophisticated phishing attack” to gain access to the email accounts of multiple employees on May 24, 2019. The breach wasn’t detected by the healthcare provider until August of that year.
Patient data compromised in the breach included names, addresses, telephone numbers, dates of birth, medical record numbers, medical histories, Social Security numbers, and health insurance information.
Attackers stole an estimated 250 Social Security numbers from Kalispell Regional patients. After announcing the breach, the healthcare provider advised patients to review account statements, report suspicious activity to the authorities, and, if necessary, place security freezes on their credit files.
The lawsuit claimed that Kalispell failed to take appropriate measures to ensure the privacy of patient data and placed patients at financial risk by waiting until October to disclose the security incident.
It further alleges that employees were not given adequate security awareness training and that Kalispell didn’t do enough to monitor its systems for suspicious activity.
The class-action lawsuit was filed against Kalispell Regional in the Montana Eighth Judicial District Court in Cascade County on November 22, 2019. The case is scheduled to go before Judge Elizabeth Best for a final approval hearing on January 5.
Kalispell Regional denies any wrongdoing in the settlement document. The healthcare provider proposes establishing a $4.2m settlement fund that will be used to pay various relief benefits to victims of the data breach.
A statement released by the healthcare provider on Friday reads: “The letter references a class action settlement that has been proposed in litigation relating to the cybersecurity event KRH experienced in October, 2019. Settlements are common with events such as these and we will work with the court through the settlement process.”