Kootenai Health faces federal class action over alleged data breach

Kootenai Health, a regional healthcare organization based in Coeur d’Alene, Idaho, is facing a federal class action lawsuit following allegations that it failed to adequately protect the personally identifiable information (PII) and personal health information (PHI) of its patients, leading to a significant data breach. The breach has reportedly exposed patients to fraud and identity theft risks.

The lawsuit was initiated by Idaho resident Sonna Griffiths, who filed a complaint on April 19 in the U.S. District Court. Griffiths alleges that Kootenai Health did not adhere to industry standards to safeguard information systems containing sensitive patient data. The lawsuit seeks a court order mandating the hospital to disclose the full extent of the compromised information and to implement robust security measures to prevent future breaches.

The case’s origins trace back to a security incident on February 22, when an unauthorized individual allegedly gained access to certain data within the Kootenai Health network. The hospital became aware of suspicious activity on March 2, which disrupted several IT systems, prompting an investigation. The hospital later confirmed on August 1 that the breach may have included sensitive information such as names, dates of birth, Social Security numbers, driver’s license details, and medical records.

Griffiths’ complaint argues that the data breach has caused actual harm to affected individuals, including financial losses, time spent mitigating the risks of identity theft, and the emotional distress associated with the loss of privacy. She seeks class certification, damages, attorney fees, and a jury trial. Griffiths also demands that Kootenai Health adopt comprehensive cybersecurity policies to protect PII and PHI better.

In response, Kootenai Health has filed a motion to dismiss the lawsuit, asserting that Griffiths lacks the standing to pursue the case and that her claims are speculative. The hospital argues that Griffiths has not demonstrated any direct harm, such as fraud or identity theft, resulting from the breach. The hospital contends that the complaint is based on speculation rather than concrete evidence of misuse of personal information.

Court records indicate that Griffiths has until September 19 to respond to the motion to dismiss. Additionally, Griffiths has requested the consolidation of three similar lawsuits into the proposed class action, citing the likelihood of additional related cases emerging. Kootenai Health has not provided a public comment regarding the lawsuit.