Lawsuit filed after the Kootenai Health data breach

Kootenai Health is facing a federal class-action lawsuit for allegedly failing to protect sensitive patient information. After the breach, some individuals became at risk of identity theft and fraud. 

What happened

Kootenai Health, a major hospital in Idaho, is facing a lawsuit after allegedly failing to protect sensitive patient information. The federal class-action lawsuit was filed by Sonna Griffiths, an Idaho resident, claiming that Kootenai Health did not follow proper industry standards, leading to a significant data breach. The breach, which occurred on February 22, potentially exposed personally identifiable information (PII) and personal health information (PHI) of patients, putting them at risk of identity theft and fraud.

Related: What is the difference between PII and PHI?

The backstory

On March 2, Kootenai Health discovered unusual activity on its IT systems, signaling a potential data security incident. The hospital launched an investigation and, by August 1, had completed a comprehensive review of the impacted data. Affected patients were notified on August 12, revealing that sensitive information, including names, Social Security numbers, medical records, and health insurance details, may have been compromised.

Griffiths' lawsuit, filed on April 19, alleges that Kootenai Health’s inadequate security measures led to the breach, causing harm to patients whose data was exposed. The lawsuit demands the hospital disclose the extent of the breach and implement stronger security practices to prevent future incidents.

What was said

According to the Coeur d'Alene Press, Kootenai Health released a letter stating, “The information involved, if impacted, may have included your name, along with your date of birth, Social Security number, driver’s license or government-issued identification number, medical record number, medical treatment and condition information, medical diagnoses, medical information and health insurance information.”

Sonna Griffiths argues that she and other plaintiffs have suffered "numerous actual and concrete injuries" as a result of the data breach, including financial costs, lost time spent mitigating identity theft risks, and emotional distress. They assert that their private information is permanently exposed, causing ongoing harm.

In response, Kootenai Health has asked the court to dismiss the case, arguing that Griffiths lacks standing to sue because she has not demonstrated any specific harm caused by the breach. The hospital claims the lawsuit is based on speculation, without evidence that Griffiths’ personal information was misused. “Here, Plaintiff has not alleged that she personally suffered any instances of fraud, identity theft or actual misuse of her information as a result of the data incident,” said Kootenai Health. “Instead, Plaintiff merely speculates that she is now at an increased risk of future harm and generically alleges she suffered an invasion of privacy, diminution in the value of her (personally identifiable information and personal health information), lost time, and emotional distress — none of which qualify as a concrete harm sufficient to confer Article III standing here.” 

Why it matters

Healthcare data breaches can be concerning because of the private and sensitive information held by healthcare companies. When patients' personal and health information is compromised, it can lead to severe consequences, including identity theft, fraud, and loss of trust in healthcare providers. 

As digital records become more prevalent, healthcare providers are increasingly expected to implement robust cybersecurity measures. Failure to do so violates patients' trust and can lead to legal action, financial penalties, and damage to the institution's reputation.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What is a data breach?

A data breach occurs when sensitive patient information, such as personally identifiable information (PII) or personal health information (PHI), is accessed, disclosed, or stolen by unauthorized individuals. 

See also: Healthcare data breaches: Insights and implications

How do healthcare data breaches typically occur?

Healthcare data breaches can occur due to various reasons, including:

• Hacking and cyberattacks: Unauthorized access by external parties using malicious software or exploiting vulnerabilities in the system.
• Insider threats: Employees or contractors who misuse their access to sensitive information.
• Lost or stolen devices: Unencrypted laptops, phones, or USB drives containing patient information that are lost or stolen.
• Accidental exposure: Mistakes such as sending sensitive information to the wrong recipient or improper disposal of records.