Former patients of Logan Health allege in a new class-action lawsuit that the medical provider’s November data breach left them open to identity theft and represented negligence, breach of contract and breach of fiduciary duty.
Filed in Flathead County District Court last month, the lawsuit accuses the health-care organization of failing to safeguard personal information and delaying in alerting patients about the data breach. More than 213,000 patients — 174,761 of them Montana residents — had their private data, including Social Security numbers, addresses and treatment codes, exposed in the hack, court documents said.
“The data breach was a direct result of [Logan Health’s] failure to implement adequate and reasonable cybersecurity protections and protocols that were necessary to protect the sensitive information of patients who entrusted it into [the facility’s] custody and care,” reads the lawsuit.
Officials with Logan Health acknowledged the data breach earlier this year. Patients exposed in the “highly sophisticated criminal attack” received a Feb. 18 letter regarding the hack signed by Craig Lambrecht, Logan Health’s CEO. Notice of the attack also went up on the organization’s website.
According to the letter, officials learned of the breach after investigating evidence of outside access to a Logan Health file server that hosts shared folders for business operations. Forensic investigators confirmed unauthorized access to files containing patient information — but not electronic medical records — on Jan. 5.
In the letter, officials stressed that they lacked evidence the information was thus far misused. They offered affected patients a year each of identity monitoring services. As a result, officials said the medical provider had “deployed additional safeguards to further fortify our information systems.”
THE LAWSUIT, filed by Great Falls attorney Mark Kovacich of Odegaard Kovacich Snipes, argues that the breach left the plaintiffs vulnerable to future crimes.
“Because of [Logan Health’s] failure to protect their information, plaintiffs and class members will be at a heightened risk of identity theft for the rest of their lives,” it reads.
As an example, the suit alleged that the two named plaintiffs, Farrah Bereta and Illyhia Birk, have suffered increased phishing and scamming attempts since the breach. Bereta also has seen her credit score drop in the months following the hack, court documents said.
The suit lists seven justifications for financial compensation on behalf of its plaintiffs: negligence, breach of express contract, breach of implied contract, two counts of breach of fiduciary duty, violation of the Montana Code Annotated relating to computer security breaches and unjust enrichment. It seeks compensation, damages and reimbursement of the cost of legal fees among other “punitive or exemplary damages.” It also asks the court to require Logan Health to offer identity theft monitoring for an extra five years and direct the organization to “secure and fully encrypt” confidential data.
A spokesperson for Logan Health did not respond to inquiries prior to the Daily Inter Lake’s press deadline. Kovacich deferred comment until after the medical facility was served and he brought his co-counsel aboard the suit.
IT’S NEITHER Logan Health’s first data breach in recent memory nor its first class-action lawsuit as a result of a hack. In late 2020, the organization agreed to establish a $4.2 million settlement fund for individuals affected by a 2019 data breach.
In that case, officials said a phishing attempt tricked employees into providing login information. The hack exposed personal information related to about 130,000 patients. Then, as now, officials noted an increase in the number and sophistication of the cyber attacks.
“Within the last year, more than 700 health systems and other organizations have experienced cyber security events impacting nearly 40 [million] individuals,” Lambrecht wrote in February. “We are committed to protecting the privacy of our patients and continue to take steps to combat these malicious threats. Our relationship with our patients is our most valued asset. I want to personally express my deepest regret for any inconvenience that these criminal actions may cause you and your family.”