Attorneys for Logan Health want a class action lawsuit brought by victims of its November data breach dismissed, arguing the plaintiffs could not prove the hack caused harm.
Filed in Flathead County District Court in March, the lawsuit accuses the nonprofit of failing patients with its inability to keep hackers from accessing a file server containing shared folders for business operations. Those computer files contained patient information, though not medical records, forensic investigators later determined.
The private data of more than 213,000 patients — 174,761 of them Montana residents — were exposed in the hack. Logan Health officials described the incident as a “highly sophisticated criminal attack” in a Feb. 18 letter announcing the breach.
Attorney Mark Kovacich of Great Falls-based Odegaard Kovacich Snipes laid responsibility for protecting patient data at the feet of the nonprofit and argued in the lawsuit that the breach left his clients vulnerable to fraud, among other losses.
“Because of [Logan Health’s] failure to protect their information, plaintiffs and class members will be at a heightened risk of identity theft for the rest of their lives,” reads the lawsuit.
The suit seeks financial compensation, reimbursement of legal fees, paid identity theft monitoring for an additional five years beyond what the medical outfit is offering victims and asks the court to direct Logan Health to further secure confidential data.
BUT ATTORNEYS for Logan Health say Kovavich and his clients failed to show any actual damage from the data breach. In a 26-page response filed in district court on June 1, the nonprofit sought the dismissal of the lawsuit.
As evidence of the harm caused by the hack, the lawsuit argues that the two named plaintiffs, Farrah Bereta and Illyhia Birk, weathered an increase in phishing and scamming attempts in the months since the breach. The two, along with other patients, suffered a risk of future identity theft, the anticipated loss of money spent protecting against identity theft and a loss of privacy.
“Notably, the plaintiffs do not allege they have suffered identity theft or fraud, or actually incurred any expenses as a result of the incident,” rebutted Gary Zadick of Ugrin Alexander Zadick, a Great Falls law firm representing Logan Health in the case.
Zadick’s motion to dismiss and the accompanying memorandum blasts the plaintiffs for lack of standing to file suit, a burden they must meet. The suit offers no evidence of any financial harm — current or impending — suffered by the pair as a result, according to the motion. The plaintiffs’ other alleged damages, including loss of time, invasion of privacy and effort spent on identity theft protection, “are not concrete injuries accepted by courts,” the motion argues.
Additionally, the lawsuit alleged that Bereta’s credit score had fallen since the breach, arguing that the drop owed not to any action she took. Zadick’s response notes the lack of connection between the hack and Bereta’s new credit score.
“She does not allege any specific incidents of fraud that would have caused her credit score to decrease and does not actually allege the decrease is related to the incident,” the motion reads. “There exist multiple reasons one’s credit score could decrease without taking specific action, such as a failure to make payments on existing debts or a third-party credit inquiry.”
THE LAWSUIT listed seven justifications for compensation on behalf of its plaintiffs. It accused Logan Health of negligence, breach of express contract, breach of implied contract, breach of fiduciary duty twice over, violation of the Montana Code Annotated as it relates to computer security and unjust enrichment.
Zadick’s motion to dismiss takes all seven to task. For negligence, the response reiterated the lack of evidence of financial harm. Under breach of contract, the document notes that the lawsuit cites the nonprofit’s privacy practices, but no actual written agreements.
As for invasion of privacy, the response points out that Logan Health did not intrude on the plaintiffs’ privacy.
“No action or inaction of Logan Health was intentional and Logan Health itself did not commit the alleged intrusion,” the motion reads.
Turning to breach of fiduciary duty, Zadick argues that data security is independent of the main exchange of services between patients and Logan Health — medical care. As for the alleged Montana Code Annotated violation, which revolves around the timeliness of Logan Health’s announcement of the data breach, the motion argues that the law does not provide for civil liability. Further, Logan Health alerted patients to the hack in February after confirming the incident in January.
Finally, focusing on unjust enrichment, the motion again notes that Logan Health primarily provided medical services and did not benefit from collecting patients’ personal information and did not hand that data over to other parties.
The argument that a portion of the plaintiffs’ fees for medical services went to data protection also fails to hold up, the motion concludes.
“Plaintiffs do not allege that Logan health failed to provide the medical services that [they] paid for, or even that they were provided inadequately,” it reads. “Plaintiffs also fail to allege what portion of the money they paid to Logan Health was for data privacy as compared to medical services, which renders their claim impossible to adjudicate.”
Zadick asked that the case be dismissed with prejudice, meaning it could not be refiled against Logan Health. District Judge Robert Allison is overseeing the case.
News Editor Derrick Perkins can be reached at 758-4430 or firstname.lastname@example.org.