A class action lawsuit has been filed against UnityPoint Health over a data breach that exposed 16,429 patients’ protected health information (PHI) in late 2018 and potentially resulted in the theft of ePHI.
The breach occurred when employees responded to phishing emails. UnityPoint Health became aware of the data breach on February 15, 2018, but affected patients only received their breach notification letters two months later. The first email accounts were breached around April 16, 2018.
HIPAA-covered entities are required to issue breach notifications to patients within 60 days of discovering a data breach. A lot of healthcare organizations delay the issuance of breach notifications and submission of incident reports to the Department of Health and Human Services’ Office for Civil Rights (OCR). Waiting two months to send breach notifications to victims could potentially be classed as a HIPAA violation. Even if the maximum time limit to report a data breach is not exceeded, the requirement of the HIPAA Breach Notification Rule is to send notifications ‘without unnecessary delay.’ OCR has taken action on cases of delayed breach notifications previously, although it has not issued any penalty when notification letters were issued within 60 days of discovering a breach.
UnityPoint Health explained to patients via the notification letters that some of their PHI had been exposed. A substitute breach notice was published in April on its website explaining the types of information the attackers possibly accessed, which included the names of patients and at least one or more of the following information: Date of birth, healthcare record number, treatment information, surgical information, diagnoses, laboratory results, prescribed medicines, provider names, dates of service and/or insurance details. The Social Security Numbers or other financial data of a limited number of patients may have been exposed as well.
UnityPoint Health informed patients that no reports had been received that suggest the attackers accessed, stole or misused PHI.
Patients were told to be attentive and review their account statements for irregular transactions. The burden of protecting against fraud and identity theft was left in the hands of patients. UnityPoint Health did not offer affected persons any credit monitoring and identity theft protection services. There was also no insurance policy to cover misuse of their data.
Attorney Robert Teel filed the lawsuit on May 4 against Iowa Health Systems Inc., which is the company that operates UnityPoint Health. The lead plaintiff in the class action lawsuit is Yvonne Mart Fox from Middleton, WI. Allegedly, UnityPoint Health delayed the sending of breach reports to regulators and patients. In addition, UnityPoint Health is claimed to have misrepresented the nature, breadth, extent, damage, and cost of the privacy breach.
According to Fox, she was deprived of sleep because of the breach and struggled with daily anger issues. She further claims that there was an increase in automated calls to her mobile phone and landline as well as marketing and spam emails following the breach.
Fox and other class members are seeking compensatory, punitive, and other damages.