Health system Kootenai Health based in Coeur d’Alene, ID serves northern Idaho and the Inland Northwest. It recently reported a data security breach that affected patients, workers, and their dependents’ personal data and protected health information (PHI). While the incident interrupted some IT systems, Kootenai Health confirmed that its operations and the delivery of patient care were not impacted.
On March 2, 2024, Kootenai Health discovered unusual activity in its computer systems. Third-party cybersecurity specialists investigated the incident and found an unauthorized person accessed the system around February 22, 2024. Kootenai Health then reviewed all files on the affected systems to find out whether they included any personal data or PHI.
The review process was completed on August 1, 2024. It was confirmed that the security incident affected workers and patients of Kootenai Clinic, Kootenai Health, Kootenai Outpatient Imaging, and Kootenai Outpatient Surgery. The affected data contained names, birth dates, driver’s licenses, Social Security numbers, government-issued IDs, medical record numbers, health treatment and condition information, diagnoses, medication details, and medical insurance information. Although this information was compromised, Kootenai Health stated there was no evidence of data misuse at the time it issued notifications to impacted people on August 12, 2024. Free identity protection services were provided to those impacted by the breach.
Kootenai Health has informed the Federal Bureau of Investigation regarding the incident and expressed its commitment to do what is required to make those responsible accountable. The health system has also implemented enhanced security measures to prevent future breaches and to maintain HIPAA compliance. Kootenai Health has not shared with the public information concerning the nature of the attack, but it is believed that the 3AM ransomware group was responsible for the attack. This new Russian-speaking ransomware group, active since September 2023, has published 22GB of stolen information on its leak site, which implies that no ransom was paid. The group also included the Visiting Physicians Network based in North Texas on its data leak site, but no information about it is available yet so far.
The HHS’ Office for Civil Rights has not published the Kootenai Health data breach yet on its breach portal; but, Kootenai Health has informed the Maine Attorney General about the breach that impacted 464,088 people.