Kalispell Healthcare staff snared by “well-designed” phishing email

Phishing scam puts 130,000 US patient records at risk

The personally identifiable information of hundreds of thousands of US healthcare patients may have been compromised following a data breach at Kalispell Regional Healthcare (KRH) in Montana.

Succumbing to a “well-designed email”, several employees unwittingly shared company login credentials with unauthorized persons, the company said in a security alert posted to its website this week.

The advisory didn’t specify the number of patients affected, but local press outlets are reporting a figure of about 130,000.

Internal investigation

Varying between patients, KRH said the stolen information may have included names, addresses, email addresses, phone numbers, dates of births, Social Security numbers, and medical record numbers.

Patients’ medical history, medical bill account numbers, and health insurance information could also have been exposed, the healthcare organization stated.

According to KRH, the company’s IT staff first learned about the breach on August 28. However, an internal investigation revealed that patient data may have first been accessed as early as May 24, 2019.

Commenting on the gap between breach discovery and notifying customers – a process started about 10 days ago – KRH spokesperson Mellody Sharpton told NBC Montana: “We don’t want to notify people unless we’re certain there was a problem.”

KRH says it’s issuing advice to those potentially affected, including reviewing account statements, reporting suspicious activity to the authorities, and placing security freezes on credit files.

Complimentary fraud consultation, identity theft restoration services and, depending on the data at risk, 12 months of web and credit monitoring services are also on offer.

Read more healthcare data breach and security news from The Daily Swig

KRH says there is, as yet, no evidence that stolen data has been misused.

“We are committed to protecting patients’ privacy and have taken steps to prevent similar events from occurring in the future,” said Craig Lambrecht, Kalispell CEO and president.

“The organization will work with the authorities to hold the perpetrators accountable for this attack against patients’ privacy.”

Details of the incident are not yet listed on the Department of Health and Human Services’ HIPAA data breach portal.

The Daily Swig has contacted KRH for further comment relating to the number of potentially impacted individuals.

RELATED US healthcare provider Premier Family Medical hit by ransomware attack