Cyberattack on Kalispell Regional breaches patient data

A data breach at Kalispell Regional Healthcare earlier this year may have compromised the personal information of nearly 130,000 patients, hospital officials reported on Tuesday.

Kalispell Regional said the hackers used fraudulent emails to bait employees into providing login credentials. The hospital did not know the extent of attack, which happened in May, until an outside forensic firm concluded its investigation in late August. A deeper investigation has since identified the specific patients who were affected.

The vulnerable information is different for each patient, but could involve names, addresses, phone numbers, medical bill account numbers, health insurance information and medical history. The hospital estimates about 250 patients may have had their Social Security numbers taken.

Of those affected, 90 percent are Montana residents.

Patients seen exclusively at North Valley Hospital, an affiliate of Kalispell Regional Healthcare, should not be affected. But North Valley patients often receive services from Kalispell Regional Medical Center and could be affected if they have done so, according to Kalispell Regional spokeswoman Mellody Sharpton.

Kalispell Regional is in the process of mailing notification letters to all those affected, which patients should receive in the coming days. The letters will tell patients what types of their personal information might have been taken and will provide steps to protect that information.

The hospital is offering all notified patients complimentary fraud consultation and identity theft restoration services. Certain patients will also receive 12 months of free web or credit monitoring services, depending on that patient’s affected information.

The forensic firm that performed the investigation was not able to track the source of the attack.

“This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks,” said Melanie Swenson, director of information technology at Kalispell Regional Healthcare. She added that her department blocks about 50,000 incoming email threats per day.

Since the breach, the hospital has taken steps to minimize the chance of another breach, such as helping employees learn how to identify suspicious emails.

“This is an educational moment. I don’t think people realize how robust” the IT system has to be to handle outside threats, Swenson said.

A 2018 audit by cybersecurity consulting firm CynergisTek found Kalispell Regional was in the top 9% of organizations in the health-care industry for cybersecurity compliance.

“We are committed to protecting patients’ privacy,” Craig Lambrecht, chief executive officer of Kalispell Regional Healthcare, said in a media statement. “In addition, the organization will work with the authorities to hold the perpetrators accountable for this attack against our patients’ privacy.”

Hospital data breaches are becoming increasingly common, according to the U.S. Department of Health and Human Services Office for Civil Rights. Within the last 90 days, 23 hospitals in the United States have reported data breaches affecting at least 500 individuals.

Montana hospitals have experienced 16 “data security incidents” since 2011, the Office for Civil Rights reports, including large data breaches at the Billing Clinic and Bozeman Deaconess Hospital.

For more information, Kalispell Regional is directing patients to call its designated help line at 1-877-514-0850.