Class action filed after Kootenai Health data breach

COEUR d’ALENE — Kootenai Health allegedly failed to protect the personally identifiable information and personal health information of patients, resulting in a large data breach that put patients at risk of fraud or identity theft, according to a proposed federal class action filed against the hospital.

In an April 19 complaint filed in U.S. District Court, Idaho resident Sonna Griffiths alleged that Kootenai Health didn’t comply with industry standards to protect information systems containing personal data. 

Griffiths seeks orders requiring Kootenai Health to “fully and accurately disclose the nature of the information that has been compromised” and to adopt security practices to prevent such a security breach from happening again, according to court records. 

The complaint stems from a data security incident that occurred Feb. 22, when “an unknown actor may have gained unauthorized access to certain data from the Kootenai Health network,” according to an Aug. 12 letter sent by the hospital to affected patients. 

Kootenai Health reportedly became aware of “unusual activity that disrupted certain IT systems” March 2 and launched an investigation. A month later, Kootenai Health published a news release about the suspicious activity. 

The hospital had completed “a comprehensive review of the impacted data to determine what personal and/or protected health information was involved” by Aug. 1, according to the letter. 

“The information involved, if impacted, may have included your name, along with your date of birth, Social Security number, driver’s license or government-issued identification number, medical record number, medical treatment and condition information, medical diagnoses, medical information and health insurance information,” the letter said in part. 

The complaint alleges that Griffiths and other class members have suffered “numerous actual and concrete injuries” as a result of the data breach, including financial costs and lost time incurred mitigating the risk of identity theft, as well as costs and lost time incurred due to “actual identity theft.” 

“The exposure of one’s private information to cybercriminals is a bell that cannot be un-rung,” the complaint said in part. “Before this data breach, plaintiff’s and the class’s private information was exactly that — private. Now their private information is forever exposed and unsecure.” 

Griffiths seeks an order certifying the class and appointing her and her legal counsel to represent the class, as well as a jury trial, an award of damages and attorney fees and relief compelling Kootenai Health to use “appropriate cyber security methods and policies” with regard to personal health information and personally identifiable information. 

Kootenai Health has asked the court to dismiss the complaint, arguing that Griffiths lacks standing to bring the lawsuit and has failed to state a claim. 

In a motion to dismiss, Kootenai Health said Griffiths filed the lawsuit solely based on the April 3 news release, alleging claims for negligence, breach of implied contract, breach of fiduciary duty, unjust enrichment and declaratory judgment, “all based on her speculation that her personal information was somehow compromised.” 

“Here, Plaintiff has not alleged that she personally suffered any instances of fraud, identity theft or actual misuse of her information as a result of the data incident,” the motion said in part. “Instead, Plaintiff merely speculates that she is now at an increased risk of future harm and generically alleges she suffered invasion of privacy, diminution in the value of her (personally identifiable information and personal health information), lost time, and emotional distress — none of which qualify as a concrete harm sufficient to confer Article III standing here.” 

Kootenai Health also argued that Griffiths’ claims of negligence are insufficient and that Griffiths has not identified an “actual breach of any duty” by the hospital. 

“Plaintiff alleges that, because the data incident occurred, Kootenai Health must have breached some duty,” the motion said. “That is not enough.” 

Court records indicate that Griffiths has until Sept. 19 to respond to the motion to dismiss. 

In an unopposed motion, Griffiths also seeks to consolidate three similar cases into the proposed class action. 

“Since (Kootenai Health) began sending notice letters, there are now three related actions to this action filed in this district, each arising from the same data breach,” a court filing said. “There are expected to be more.” 

Kootenai Health did not immediately return a request for comment Friday.