Montana health system phishing scam affects 130,000 patients

A phishing scam targeting employees at Kalispell Regional Healthcare may have compromised health information of nearly 130,000 patients, the Montana health system confirmed.

Kalispell discovered the phishing incident, in which several employees unknowingly provided login credentials to hackers in response to a “well-designed email,” this summer, according to a notification the system posted online Tuesday. Those hackers may have gained unauthorized access to Kalispell’s IT systems as early as May 24.

Kalispell said it launched an investigation and disabled the compromised accounts upon discovering the data breach.

The investigation on Aug. 28 determined that up to 129,641 patients may have had health information accessed in the breach, which could have included names, medical record numbers and Social Security numbers.

Kalispell has offered free fraud consultation and identity theft restoration services to all patients who were affected in the breach. Some patients were also offered a year of web or credit monitoring services, depending on what information was exposed.

To date, there is no evidence patient information exposed in the breach has been misused, according to Kalispell.

“We are committed to protecting patients’ privacy and have taken steps to prevent similar events from occurring in the future,” said Craig Lambrecht, Kalispell’s president and CEO, in a statement. “In addition, the organization will work with the authorities to hold the perpetrators accountable for this attack against patients’ privacy.”

Kalispell officials stressed the system’s commitment to cybersecurity. During its most recent annual review and threat assessment, cybersecurity consulting firm CynergisTek had said the health system was in the top 9% of healthcare organizations for data security readiness, according to a Kalispell spokesperson.

David Finn, executive vice president of strategic innovation at CynergisTek, said the company doesn’t comment on work with its customers, but said its framework for assessing data security readiness includes evaluating compliance with HIPAA and the National Institute of Standards and Technology’s cybersecurity framework.

“Your risk posture is never the same from moment to moment,” he said. “You plug new things into your network, you change systems, you hire new people, and all that changes your risk posture. Security is very fluid … Nothing is 100% in the security world.”

There’s been a marked increase in email breaches in recent years.

Since 2017, email has been the primary outlet through which health data is exposed, according to data from the HHS’ Office for Civil Rights, the agency that maintains the government’s database of healthcare breaches. In previous years, healthcare organizations and their business associates were more likely to attribute breaches to theft of paper records or laptops.