The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Logan Health Proposes $4.3 Million Settlement to Resolve Class Action Data Breach Lawsuit

Logan Health has agreed to settle a class action lawsuit related to a 2021 hacking incident that exposed the protected health information of 213,543 individuals. Under the terms of the settlement, Logan Health has agreed to create a fund of $4.3 million to cover claims from individuals affected by the breach.

Logan Health, formerly Kalispell Regional Medical Center, is a 622-bed health system based in Kalispell, MT, which operates six hospitals and more than 68 provider clinics in the state. On February 18, 2022, Logan Health announced that it was the victim of a sophisticated cyberattack in which hackers gained access to a file server containing patient data. The breach was detected on November 22, 2021, and the investigation confirmed that access to its systems was gained on November 18, 2021. On January 5, 2022, Logan Health learned that the attackers accessed files containing patient information such as names, addresses, medical record numbers, dates of birth, telephone numbers, email addresses, insurance claim information, date(s) of service, treating/referring physician, medical bill account number, and/or health insurance informa­tion. Affected individuals were offered complimentary credit monitoring services.

A lawsuitTafelski, et al. v. Logan Health Medical Center – was filed against Logan Health in the Montana Eighth Judicial District Court shortly after notification letters were mailed. The lawsuit alleged Logan Health had failed to implement reasonable and appropriate cybersecurity measures and had not provided sufficient security awareness training to its workforce. Had those measures been implemented, the data breach would have been prevented. In addition to this breach, Logan Health had experienced others while operating as Kalispell Regional Medical Center, which had affected 2,081 state residents in 2021 and 126.805 individuals in 2019. The lawsuit alleged the plaintiffs and class members have suffered damages including the compromise, publication, theft and/or unauthorized use of their PII/PHI, out-of-pocket costs from the prevention, detection, recovery, and remediation from identity theft or fraud, lost opportunity costs and lost wages, that they faced a continued risk to their PII/PHI.

Logan Health chose to settle the lawsuit to avoid further legal costs and the uncertainty of trial. Under the terms of the settlement, affected individuals can submit claims up to a maximum of $25,000 for reimbursement of out-of-pocket expenses that are reasonably traceable to the data breach and were not reimbursable by a third party. Claims can also include lost time up to a maximum of $125 per class member. In addition to claims for reimbursement of losses, class members can choose to claim three years of credit monitoring services or a cash payment in lieu of the credit monitoring services.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The deadline for exclusion from or objections to the settlement is February 13, 2023. Claims must be submitted by April 3, 2023, and the final approval hearing for the settlement has been scheduled for March 9, 2023.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist