Class Action Lawsuit Claims UnityPoint Health Misinform Patients over Harshness of Phishing Attack


A class action court case has been filed in reaction to a data breach at UnityPoint Health that saw the PHI of 16,429 patients disclosed and possibly obtained by illegal people.

As with several other healthcare data breaches, PHI was disclosed as a consequence of workers falling for phishing electronic mails. UnityPoint Health found the security breach on February 15, 2018 and sent breach notice letters to affected patients two months later, on or around April 16, 2018.

HIPAA-protected units have up to 60 days following the detection of a data breach to issue notices to patients. Several healthcare companies wait before delivering breach notices and presenting statements of the occurrence to the Division of Health and Human Services’ OCR.

Waiting for two months to deliver notices to breach sufferers might be seen as a defiance of HIPAA Laws. Although the maximum time limit for recording was not surpassed, the HIPAA Breach Notice Law requires notices to be sent ‘without unnecessary delay.’ The HHS’ OCR has taken action over late breach notices in the past, even though no fines have been issued when notice letters have been sent within 60 days of the finding of a breach.

The notice letters described to patients that a few of their health information had been disclosed. The alternate breach notification posted on the UnityPoint Health website in April said the kinds of information possibly accessed by the attackers contained “patient names and one or more of the following: dates of birth, providers, medications, lab results, diagnoses, surgical information, treatment information, medical record numbers, dates of service and/or insurance information. For a limited number of affected people, information that might have been seen included Social Security Numbers or other financial information.”

UnityPoint Health informed patients no reports had been received to indicate that their PHI had been accessed, stolen, or abused.

Patients were encouraged to “remain watchful in reviewing your account statements for fake or irregular activity”, even though the burden of safeguarding against identity theft and the scam was passed on to patients. Impacted people were not offered credit checking and identity theft protection facilities nor were they covered by an insurance policy covering abuse of their data.

The court case was filed on May 4 by lawyer Robert Teel against Iowa Health Systems Inc., the business that manages UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, lead complainant in the class action court case, has accused UnityPoint Health of delaying informing the breach to regulators and patients. She also charges UnityPoint Health “distorted the nature, breadth, scope, damage, and cost of the privacy breach.”

Fox claims she has experienced sleep deficiency as a direct consequence of the breach and suffers daily anger. She also claims to have had an increase in the number of automatic calls to her cellphone and landline in 2018 and a surge in marketing and other junk electronic mails, which have been attributed to the theft of her contact information.

Fox and other class members are requesting compensatory, punitive, and other harms.