A reality based independent journal of observation & analysis, serving the Flathead Valley & Montana since 2006. © James Conner.

Share

 

17 November 2019 — 0826 mst

Patients’ data stolen, compliance reports gundecked

Scandals continue to bedevil Kalispell Regional Healthcare

I’ve received what I think was adequate care at Kalispell Regional Hospital — but I don’t like the place, and I most surely don’t like the way it’s run. Last year we learned that empire building by Kalispell Regional Healthcare’s executives (a way to boost their salaries) took liberties with the law in a way that, after the federal government forced KRH back on the legal straight and narrow, resulted in a multi-million-dollar payout, and in various restrictions and conditions being placed on the organization.

Now we learn from the InterLake’s Colin Gaiser that:

The Office of Inspector General sent a letter on Aug. 28, 2019, to Kalispell Regional that demands stipulated penalties “based on the failure to comply with the obligation to meet board member training requirements and for a false certification by or on behalf of KRHS (Kalispell Regional Healthcare System) as part of its Implementation Report.”

Sweet Jesus! Is there not a single true pointing moral compass at KRH? Gundecking the certification is inexcusable. And crazy. Not meeting the board training obligation was not good, but neither was it a death penalty offense. Why lie about it? Why not admit it and meet the obligation? There’s only one reason for lying that comes to my mind: KRH never intended to meet the obligation, and was operating in bad faith from the gitgo.

That conduct doesn’t instill confidence in the wit and probity of KRH’s administrators and board members.

We wuz hacked! Your records were stolen. Hey, stuff happens.

Neither does KRH’s response to the hacking into and theft of the medical records of approximately 129,000 patients. The letter (PDF; below, annotated text) KRH sent to the victims, via Atlanta, GA, is a masterpiece of admitting to misfortune in a way intended to limit KRH’s liability for not guarding medical records effectively. I found the tone of the letter, which should have begun, “Dear Mr. Conner; ¶ Your medical records at Kalispell Regional Healthcare were stolen. Criminals smarter than our information technology staff hacked into our system. Here’s what happened, and how we’ll help you mitigate the damage,” so infuriating that a triple bourbon hardly lowered my ire.

Here’s the letter. Given the gundecking culture at KRH, one might be wise to take its contents with a Brobdingnagian grain of salt.

Note. Information specific to the recipient of this letter was deleted.

KALISPELL REGIONAL HEALTHCARE

October 18, 2019

Subject: Notice of Data Security Event

Translation: “We wuz hacked.”

Dear

Despite being named in the top quartile for data security readiness by a third party firm, Kalispell Regional Healthcare (KRH) was recently the victim of a highly sophisticated attack on our information technology systems. This data security event may have involved your personal information. Safeguarding our patients and their personal information is a top priority, and we want you to be aware of what happened and how we have addressed it. Most importantly, we want to protect you as best we can by offering you twelve (12) months of identity monitoring services at no cost.

Comment. The third party firm is not named. Therefore, the competence of that firm cannot be independently assessed. Here, KRH is trying to establish that it was duly diligent in protecting data, and was the victim not of its own incompetence but of the super competence of a nefarious third party; the victim of an act of God, or of the Devil, take your pick.

What happened? This summer we discovered that several employees were victims of a well-designed email that led them to unknowingly provide their KRH login credentials to malicious criminals. We immediately disabled their accounts, notified federal law enforcement, and launched an investigation, which was performed by a nationally-recognized digital forensics firm, to determine whether any personal information was affected. On August 28, 2019, we learned that some patients’ personal information may have been accessed without authorization. A deeper investigation determined that your personal information may have been accessed as early as May 24, 2019.

Comment. The “nationally-recognized digital forensics firm” is not named. Therefore, the competence of that firm cannot be assessed independently. Phishing often succeeds because we are trained to open letters and answer the telephone, and because someone distracted by anything while dealing with the day’s email traffic may not recognize subtle clues that something is amiss. But the system should be designed so that obtaining one person’s access codes doesn’t amount to seizing the master key to the kingdom.

What information was involved? Different information may have been involved for each person. The information may have involved your name, address, medical record number, date of birth, telephone number, email address, medical history and treatment information, date of service, treating/referring physician, medical bill account number and/or health insurance information.

Comment. The hackers blew the doors off the barn and stole everything. Whatever security KRH’s IT department thought was impenetrable was a slice of Swiss cheese.

What are we doing? Although there is no indication that the information was misused, we are offering you 12 months of identity monitoring services at no charge as an extra precaution. ln addition, we have taken further steps to revise procedures that will minimize the risk of a similar event from happening again.

Comment. That paragraph is far from reassuring. KRH means “…there is not yet any indication that the information was misused….” The stolen data will be misused — it wasn’t ripped off just for fun — but it might not be used right away. The identity monitoring services is useful, but those whose identity is stolen will incur hefty identity recovery expenses — expenses that KRH is not offering to cover.

What you can do: You can follow the steps recommended on the following page to further protect your personal information. ln addition, you can enroll in the complimentary identity monitoring services that we are offering for 12 months. The services include identity monitoring, fraud consultation, and identity theft restoration. To enroll in the services online… [remainer of sentence deleted]

The deadline to enroll in these services is January 31, 2020.

For More Information: lf you have questions or need assistance, please call our designated help line at [deleted] Monday through Friday from 8:00 a.m. to 5:30 p.m. Central Time. Please have your membership number ready.

Comment. Central Time. That’s an hour ahead of Mountain Time. I’ll translate for KRH, which let out-of-state and out-of-time-zone lawyers write the letter. The help line is open 0700 to 1600 Mountain Time. That works well for people on the swing and night shifts.

We are committed to protecting the privacy of our patients and have taken steps to prevent similar events from occurring in the future. ln addition, we will work with the authorities to hold the perpetrators accountable for this attack against your privacy.

Our relationship with our patients is our most valued asset. l want to personally express my deepest regret for any inconvenience that these criminal actions may cause you and your family.

Comment. Inconvenience? INCONVENIENCE? I don’t associate “inconvenience” with the major league financial damage I may suffer because KRH was hacked.

Craig Lambrecht, MD
President & CEO
Kalispell Regional Healthcare

\