Class Action Lawsuit Claims UnityPoint Health Misinform Patients over Severity of Phishing Attack

May 10, 2018


A class action litigation has been filed in reaction to a data breach at UnityPoint Health that saw the protected health information (PHI) of 16,429 patients disclosed and possibly obtained by illegal persons.

As with several other healthcare data breaches, PHI was disclosed as a consequence of workers falling for phishing electronic mails. UnityPoint Health found the security breach on February 15, 2018 and sent breach notification letters to affected patients two months later, on or about April 16, 2018.

HIPAA-protected units have up to 60 days after the discovery of a data breach to issue notices to patients. Several healthcare companies wait before issuing breach notices and submitting reports of the event to the Department of Health and Human Services’ OCR.

Waiting for two months to issue notices to breach sufferers might be seen as a disobedience of HIPAA Laws. Although the maximum time limit for informing was not exceeded, the HIPAA Breach Notice Law requires notices to be sent ‘without unnecessary delay.’ The HHS’ Office for Civil Rights has taken action over late breach notices in the past, although no fines have been issued when notice letters have been sent within 60 days of the finding of a breach.

The notice letters clarified to patients that a few of their health information had been disclosed. The substitute breach notification displayed on the UnityPoint Health website in April said the kinds of information possibly accessed by the attackers included “patient names and one or more of the following: dates of birth, providers, medications, lab results, diagnoses, surgical information, treatment information, medical record numbers, dates of service and/or insurance information. For a limited number of impacted people, information that might have been seen included Social Security Numbers or other financial information.”

UnityPoint Health informed patients no reports had been received to indicate that their PHI had been stolen, accessed, or abused.

Patients were encouraged to “remain alert in checking your account statements for irregular or fraudulent activity”, although the burden of safeguarding against identity theft and the scam was passed on to patients. Affected people were not offered credit checking and identity theft protection facilities nor were they covered by an insurance policy covering abuse of their data.

The claim was filed on May 4 by attorney Robert Teel versus Iowa Health Systems Inc., the firm that manages UnityPoint Health. Yvonne Mart Fox, of Middleton, WI, the lead plaintiff in the class action court case, has accused UnityPoint Health of delaying reporting the breach to patients and regulators. She also alleges UnityPoint Health “misrepresented the harm, scope, breadth, nature, and cost of the secrecy breach.”

Fox claims she has suffered sleep deficiency as a direct consequence of the breach and suffers daily anger. She also claims to have had a surge in the number of automatic calls to her landline and cellphone in 2018 and a surge in marketing and other spam electronic mails, which have been attributed to the theft of her contact information.

Fox and other class members are seeking punitive, compensatory, and other damages.