Kalispell Regional Healthcare, located in Montana, is currently getting in touch with around 140,000 patients that some of their protected health information (PHI) was potentially impacted in a security breach over the summer.
Kalispell Regional Healthcare runs Kalispell Regional Medical Center, a 138-bed hospital in Kalispell, MT. The breach has impacted the majority of its patients.
The breach impacted Kalispell Regional’s email system and was due to multiple members of staff being fooled by a “highly sophisticated” phishing scam. Employees responding to the phishing email inadvertently shared their login details to the hacker who used the credentials to remotely access their email accounts. Kalispell Regional learned of the breach on August 28.
Upon finding the breach, all affected email accounts were turned off to stop further unauthorized access, the security breach was reported to law enforcement, and an internal investigation was launched to determine the extent of the breach. The investigation showed the email account was breached on May 24, 2019 and the compromised accounts included messages and email attachments that included patients’ PHI.
The range of data exposed varied from patient to patient and may have included names, addresses, email addresses, telephone numbers, dates of service, treatment information, health insurance details, treating and referring physicians’ names, and medical bill account information. 250 or fewer patients also had their Social Security number breached.
Unauthorized PHI access was possible, but no proof has been found to suggest any patient information has been misused; however, out of an abundance of caution, affected people have been offered free membership to credit monitoring and identity theft protection services with Kroll for 12 months, regardless of the sort of information that wa exposed.
It took many weeks to discover which patients had been impacted and the types of information that had been exposed, resulting in the delay in issuing breach notification letters. The breach investigation finished last week.
Kalispell Regional had set up a range of cybersecurity measures prior to the breach and uses a third-party firm to complete annual threat assessments to proactively identify vulnerabilities and improve its security posture. Those measures were not adequate to block the phishing attack in this instance. Kalispell Regional will continue to review its security measures and enhancements will be made to better safeguard patient data against phishing attacks.
The breach report registered with the Department of Health and Human Services’ Office for Civil Rights on October 22, 2019 indicates up to 140,209 patients were impacted by the security breach.