UnityPoint Health discovered a data breach on February 15, 2018 that resulted to the exposure of the protected health information (PHI) of 16,429 patients. Apparently, the data breach occurred because of certain employees that failed to identify phishing emails and fell for it. UnityPoint Health sent breach notification letters to the patients whose information was exposed two months after discovering the incident, on or around April 16, 2018.
UnityPoint Health sent notification letters to patients that explained the exposure of some of their health information. In April, there was also a substitute breach notice posted on UnityPoint Health’s website. It mentioned that the types of information that were likely accessed by the attackers. The patients’ names and one or more of these data could have been accessed: birth dates, medical record number, surgical information, lab results, diagnoses, treatment information, medications, service dates, providers and/or insurance details. A limited number of patients may have their financial information or Social Security numbers viewed.
UnityPoint Health also mentioned in the notification letters to the patients that there was no report received that suggest the access, theft of misuse of their PHI. Patients were advised to remain observant when reviewing their account statements and check for fraudulent or irregular activity. UnityPoint Health left the burden of protecting against identity theft and fraud on the patients themselves. They were not offered any credit monitoring and identity theft protection services. There was also no insurance policy protection that covered the misuse of their data.
In response to the data breach, attorney Robert Teel filed a class action lawsuit on Iowa Health Systems Inc, the company that runs UnityPoint Health. The lead plaintiff in the class action lawsuit is Yvonne Mart Fox of Middletown, WI. Yvone accused UnityPoint Health of delaying the issuance of notification letters to the patients and regulators. Another allegation is UnityPoint Health’s misrepresentation of the nature, breadth, scope, harm and cost of the privacy breach.
According to Fox, she suffered from sleep deprivation because of the breach and experienced daily anger. She also claims that the she’s been receiving more automated calls to her mobile and landline phone as well as marketing and spam emails since the breach and theft of her contact information. Together with other class members, Fox is seeking compensatory, punitive and other damages.
HIPAA requires covered entities to issue notifications to patients and submit reports to the Department of Health and Human Services’ Office for Civil Rights up to 60 days from the discovery of the data breach. Waiting for two months before sending notifications could be deemed as a violation of the HIPAA Rules. It may be within the time limit set by HIPAA for notification, but if the entity does not adhere to the requirement to send notifications “without unnecessary delay,” then the entity could be in violation and may be penalized.