International Trade Today is a Warren News publication.
'Increased Risk' of Fraud

Idaho Resident Sues Healthcare System After PII Theft in March Cyberattack

Kootenai Health failed to comply with industry standards to protect information systems that contain patients’ personally identifiable information (PII) and personal health information (PHI) during an early March data breach, alleged a class action Friday (docket 1:24-cv-00205) in U.S. District Court for Idaho in Boise.

Sign up for a free preview to unlock the rest of this article

If your job depends on informed compliance, you need International Trade Today. Delivered every business day and available any time online, only International Trade Today helps you stay current on the increasingly complex international trade regulatory environment.

Plaintiff Sonna Griffiths, an Idaho resident, was required to provide her PII and PHI as a condition of receiving medical service at Kootenai Health, said the complaint. Griffiths is careful about sharing her private information and stores documents containing her PII and PHI in a safe and secure location, it said. She has never knowingly transmitted unencrypted private information over the internet or another unsecured source and isn’t aware of having been part of a data breach involving her PII or PHI, it said.

As a result of Kootenai’s data breach, Griffiths is concerned that her PII and PHI have been exposed to “bad actors,” the complaint said. Since the breach, she has taken steps to avoid identity theft, including closing some accounts, checking her credit monitoring service, setting up notices and reports, and carefully reviewing all her accounts, the complaint said.

Kootenai’s April 3 press statement said the company had “no evidence that any information has been misused,” the complaint said. The healthcare company was performing a “comprehensive review” of the cyberattack and would reach out to victims with more information when the review is complete, it said.

Griffiths has suffered actual injury from having her private information compromised in the data breach, including damage to and diminution in the value of her private information, violation of her privacy rights and “present, imminent and impending injury arising from the increased risk of identity theft and fraud,” the complaint said. She expects to spend “considerable time and money” going forward trying to mitigate and address harms caused by the data breach; she will be at increased risk of identity theft and fraud “for years to come,” it said.

Griffiths asserts claims of negligence and negligence per se, breach of implied contract and fiduciary duty, and unjust enrichment, and she seeks injunctive and declaratory relief, the complaint said. She also seeks an order requiring Kootenai Health to stop engaging in the wrongful conduct complained of and to use appropriate cybersecurity methods and policies regarding PII and PHI collection, storage, and protection. Griffiths requests awards of damages, attorneys’ fees, legal costs and prejudgment interest.