Healthcare Entity Reports Another Big Hacking Incident

Breach Notification, Cybercrime, Electronic Health Records

A recent breach affects nearly 214,000 people; Incident in 2019 Affected 140,000

Marianne Kolbasuk McGee (HealthInfoSec) •
February 25, 2022

A Montana-based healthcare organization notifies nearly 214,000 people of a hacking incident affecting patients, employees and business associates. The breach – described as a “sophisticated criminal attack” – is the second major hacking incident reported by the entity since 2019.

See also: Third party risk: lessons on Log4j

In a breach report filed Tuesday with the Maine State Attorney General, the Kalispell, Montana-based Logan Health Medical Center, formerly known as Kalispell Regional Healthcare, says a hacking incident of “external system” discovered in November 2021 affected 213,543 people, including four Maine residents.

In October 2019, when it was still called Kalispell Regional, the organization reported an email phishing incident affecting more than 140,000 people to the US Department of Health and Human Services (see: Phishing schemes continue to plague the healthcare industry).

The last hack

In a sample breach notification letter provided to the Maine Attorney General’s office, Logan Health indicates that on November 22, 2021, it discovered suspicious activity in its computer systems, “including evidence of unauthorized access to a file server that includes shared folders for business operations.”

On Jan. 5, the organization’s investigation into the incident determined that there had been unauthorized access to certain files containing personal information about patients, employees and associates, Logan Health said. The potentially compromised information varies by individual, he says.

Logan Health says the information affected includes name, address, medical record number, date of birth, phone number, email address, insurance application information, dates of department, treating/referring physician, medical bill account number, and/or health insurance information.

In a notice posted on its website, Logan Health describes itself as “the victim of a highly sophisticated criminal attack on our information technology systems, which may have involved personal patient information.”

Following the incident, Logan Health says it deployed “additional safeguards to further strengthen” its information systems.

Logan Health is a health system that includes five hospitals, with a total of 577 beds, as well as more than 40 provider clinics and a number of other health services in the Flathead Valley of northwestern Montana.

The Prior Violation

In October 2019, before being renamed Logan Health, Kalispell reported a data breach with a similar description to the recent incident – a “highly sophisticated attack”.

In a breach notification statement related to the previous incident, Kalispell said it discovered in the summer of 2019 that several employees “became victims of a well-crafted email that caused them to unknowingly provide their [Kalispell] login credentials to malicious criminals.”

The organization’s investigation determined that some patient information may have been accessed as early as May 24, 2019.

Kalispell reported the breach to the HHS Office of Civil Rights as affecting the information of 140,209 individuals, including name, Social Security number, address, medical record number, date of birth, phone number, telephone, e-mail address, medical history and treatment information, date of service. , attending/referring physician, medical bill account number and/or health insurance information.

The organization’s 2019 breach notification said Kalispell had “taken steps to prevent similar events from occurring in the future”.

Regulatory review?

Regulatory attorney Paul Hales of the Hales Law Group says HHS OCR generally prefers to provide technical assistance to a cooperating organization following a HIPAA violation, rather than engaging “higher levels.” high” of application.

“It probably happened in 2019,” he says of the previous breach reported by Kalispell.

“However, when an organization violates HIPAA soon after receiving technical assistance, OCR has been inclined to demand settlement payment and a corrective action plan while citing its previous technical assistance to the organization,” he said.

Logan’s breach notification “follows the standard practice of informing affected individuals of the steps they should take to protect themselves from the financial consequences of identity theft,” he says. Logan offers one year of credit and identity tracking.

“However, Logan did not provide guidance on what steps to take to detect medical identity theft, which is the fastest growing and most dangerous form of identity theft to the safety and to be patients,” Hales said.

“We’re starting to see HIPAA breach notifications that include steps to detect and protect against medical identity theft, such as reviewing your medical records for suspicious entries. We hope this becomes the norm.”

Logan Health did not immediately respond to Information Security Media Group’s request for additional details on the two incidents.

Comments are closed.