UnityPoint Health based in Des Moines, Iowa made a decision to resolve a proposed class action lawsuit that victims of two phishing attacks in 2017 and 2018 filed after the incidents t resulted in the exposure of the protected health information (PHI) of 1.4 million patients.
The first phishing attack happened in November 2017 and Unity Point Health found out about it on February 15, 2018. The attackers accessed the email accounts of some employees in its Madison campus for over 3 months and possibly acquired the PHI of around 16,429 patients. Patients received breach notifications in April 2018.
The second phishing attack, which involved an impersonation of a UnityPoint executive in March 2018, was far more extensive. A number of employees disclosed their login information after responding to the phishing email. UnityPoint Health discovered the attack in May 2018. According to the investigation, the PHI of 1.4 million patients were found in the compromised email accounts. This phishing attack resulted in the second biggest healthcare data breach reported in 2018. The attackers were able to access the email accounts for roughly one month prior to the discovery of the breach and the email accounts were made secure. UnityPoint Health sent notification letters to affected patients in August 2018.
The victims filed a lawsuit after the breach announcement. Allegedly, UnityPoint Health did not handle the breach properly and misrepresented the scope, nature, breadth, cost, and harm of the breach. Breach notifications were not issued within the 60-day time period required by the HIPAA Breach Notification Rule. Further, the notifications sent to the patients did not mention the compromise of their Social Security numbers.
The breach notification letters issued by UnityPoint Health mentioned that there’s no evidence that suggests the exposure of the patients’ PHI will result in unintended uses, which means that the affected patients were in danger. UnityPoint Health additionally did not provide credit monitoring or identity theft protection services to breach victims, even if there were exposure of driver’s license numbers and Social Security numbers.
UnityPoint Health partly succeeded in having the lawsuit dismissed when a US District Court judged partially dismissed some lawsuit claims in July 2019. The other claims were retained. The judge decided that the plaintiffs’ allegations had adequate facts that point to a reasonable probability of identity theft in the future.
The proposed settlement on June 26, 2020 to take care of the lawsuit will give victims fiscal and injunctive relief. UnityPoint Health agreed to provide at least $2.8 million to class members for claims. Every affected person can file a maximum claim of $1,000 for recorded ordinary out-of-pocket expenditures like credit monitoring and identity theft protection services, and around 3 hours in lost time billed at $15 hourly.
A person is entitled to a maximum claim of $6,000 to pay for unusual expenditures such as recorded out-of-pocket expenditures and about 10 hours billed at $15 hourly for time lost taking care of credit freezes, credit monitoring services, and other activiites done because of the breach. As opposed to most data breach negotiations, UnityPoint Health did not put a limit on extraordinary expenditure claims, thus UnityPoint Health will pay for actual losses submitted by victims with their valid claims. All victims will additionally be eligible for a one-year credit monitoring and identity theft protection services membership and will have a $1 million insurance policy coverage for identity theft. The cost of the credit monitoring services and insurance policy per class memeber is estimated to be $200.
The four breach victims named in the filed lawsuit could claim an extra $2,500 each. UnityPoint Health will also pay all the costs of notice and claims administration plus attorney fees amounting to around $1.58 million.
UnityPoint Health additionally agreed to improve network and data security. A third-party security company will do a yearly audit of UnityPoint Health to ensure there are adequate security measures, and the provider complies with security guidelines.
Because there is no limit on claims, this healthcare data breach settlement may become one of the biggest ever. A judge only needs to approve the settlement for finalization at the end of the year.