Entity Will Pay $4.3 Million Settlement in 2nd Big Hack
Healthcare , Industry Specific , Legislation & Litigation
Deal to End Lawsuit in 2021 Breach Follows a $4.2 Million Settlement in a 2019 Hack Marianne Kolbasuk McGee (HealthInfoSec) • January 27, 2023 Logan Health Medical Center in Kalispell, Montana (Image: Logan Health)
A Montana healthcare organization will pay $4.3 million to settle a consolidated class action lawsuit filed in the wake of a 2021 hacking incident affecting nearly 214,000 individuals. The deal is the entity’s second multimillion-dollar lawsuit settlement in the last four years involving a major hacking breach.
See Also: Live Webinar | Navigating the Difficulties of Patching OT
Plaintiffs in the latest litigation alleged that Logan Health Medical Center failed to adequately protect their personal information and that they were injured as a result of a 2021 hacking incident (see: Class Action Filed in Logan Health Breach Affecting 214,000).
As part of its preliminary settlement, approved by a Montana federal court judge last month, Logan Health has denied any wrongdoing.
Logan Health – while operating under its previous name, Kalispell Regional Healthcare – in 2020 also agreed to a $4.2 million settlement in another class action lawsuit related to a separate 2019 hacking incident that affected 140,000 individuals. The entity also denied any wrongdoing as part of that settlement.
Hard Lessons to Learn?
Plaintiffs in the 2022 lawsuit complaint alleged the Montana center failed to learn the lessons of its 2019 hack or to follow up on its pledge to improve its cybersecurity.
“The 2021 data breach occurred because, despite representations to the contrary, Logan Health failed to implement adequate and reasonable training of employees and/or procedures and protocols which would have prevented the data breach from occurring,” the suit alleged.
Logan Health is agreeing to “business practice changes” involving its security.
Back-to-back hacking incidents – and the resulting legal fallout – are threats and risks many healthcare sector entities potentially face, some experts say.
“Logan’s experience unfortunately illustrates how all healthcare providers, regardless of their geographic location or the size of their population centers, need to stay vigilant and not let their guard down,” says attorney Jeff Westerman of Westerman Law Corp., who is not involved in the Logan Health cases.
A final fairness court hearing for the settlement is set for March 9. Class members have until April 3 to submit claims.
Under the settlement, each eligible class member can claim:
- Reimbursement of out-of-pocket losses, such as money spent or lost, fairly traceable to the Logan Health data security incident, up to $25,000;
- Reimbursement for lost time related to efforts undertaken to prevent or mitigate fraud and identity theft following the announcement of the Logan Health data security incident, up to $125;
- Three years of credit monitoring.
Also, under the settlement, Logan Health agrees not to oppose class counsel’s request for an award of attorneys’ fees up to one-third of the $4.3 million settlement fund – or about $1.43 million – and reimbursement of litigation costs and expenses up to $150,000.
Attorneys representing Logan Health and plaintiffs in the litigation did not immediately respond to Information Security Media Group’s requests for comment on the settlement.