Getty Images

UnityPoint Health Reaches $2.8M Settlement Over 2018 Data Breach

After two years of litigation and a partial dismissal, UnityPoint Health has reached a proposed $2.8M settlement with the 1.4 million patients impacted by two phishing-related data breaches.

Iowa Health System, doing business as UnityPoint Health, has reached a proposed $2.8 million settlement with the millions of patients impacted by two phishing-related data breaches in 2017 and 2018.

The settlement will provide the 1.4 million breach victims with monetary and injunctive relief, including one year of comprehensive credit monitoring and identity theft protection services and reimbursement of ordinary expenses up to $1,000 per settlement class member for costs incurred by credit monitoring and identity theft protection services.

The UnityPoint Health breach was the second largest healthcare security incident reported in 2018, impacting the health records of 1.4 million patients after the health system discovered two separate phishing attacks during the year.

The first detected incident was reported in April 2018, when several employees of its Madison campus fell victim to a phishing campaign. Discovered on February 15, 2018, the breach impacted about 16,000 patients and lasted between November 1, 2017 and February 7, 2018.

UnityPoint discovered the second, much larger breach on May 31, 2018, when threat actors sent a massive, highly targeted phishing campaign to UnityPoint employees. The emails were designed to appear as if sent from a UnityPoint executive, which tricked several employees into falling for the scam.

As a result, the threat actor gained access to the internal email system for nearly a month between March 14 and April 3, 2018. The emails contained a trove of patient-related information, from protected health information to Social Security numbers and driver’s licenses. Patients began receiving notifications in July 2018.

Several patients impacted by these events soon filed a class-action lawsuit against UnityPoint, arguing the health system mishandled the breach, delayed reporting the incident, and incorrectly told patients Social Security numbers were not impacted.

According to the lawsuit, UnityPoint waited more than the HIPAA-required 60 days to begin notifying patients, and its officials “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach."

The breach victims also took issue with UnityPoint’s assertion that “no information to date indicating that your protected health information involved in this incident was or will be used for any unintended purposes.”

What’s more, the impacted patients were not offered compensation for damage to their credit, incurred by the breach. The lawsuit argued UnityPoint should have at least provided a year of free credit monitoring.

In response, UnityPoint sought to dismiss the lawsuit. In July 2019, a judge in the US District Court for the Western District of Wisconsin ruled to partially dismiss some of the claims purported in the lawsuit but that some claims could continue.

According to the settlement, the $2.8 million will also go towards the reimbursement of extraordinary expenses of up to $6,000 per impacted patient. In fact, patients “are not subject to a global cap on settlement benefits—meaning that every settlement class member will be fully compensated for valid claims, independent of the aggregate amount of other claims submitted.”

The settlement also requires UnityPoint Health to make multiple, detailed commitments to improve its network and data security measures to address the vulnerabilities that spurred the initial breaches. A third-party security firm will also be required to conduct an annual assessment of UnityPoint Health’s adherence to its security policies.

The health system must also separately pay all costs of both notice and claims administration, attorneys’ fees “in an amount not to exceed $1.58 million." The four initial patients to file the lawsuit will also be awarded an amount not to exceed $2,500.

The settlement has been presented to the court for review and approval.

If approved, the UnityPoint Health settlement will join some of the largest healthcare data breach settlements in the last few years: Anthem ($115 million),  Premera Blue Cross ($10 million), Banner Health ($8.9 million), UCLA Health ($7.5 million), and Washington State University ($4.7 million).

Next Steps

Dig Deeper on HIPAA compliance and regulation