HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Class Action Lawsuit Filed Over UConn Health Phishing Attack

A class action lawsuit has been proposed which seeks to recover damages for patients whose protected health information (PHI) was exposed in the UConn Health phishing attack that was discovered on December 24, 2018.

The lawsuit has been filed against the University of Connecticut and UConn Health and seeks damages, equitable, declaratory, and injunctive relief to prevent a recurrence of a data breach. A jury trial is being sought.

The email accounts of multiple employees were compromised as a result of the attack. In total, 326,000 UConn Health patients had some of their personal and health information exposed in the breach. Most of the individuals affected by the breach only had a limited amount of PHI exposed, although approximately 1,500 patients had their name, address, date of birth, and Social Security number, and some medical information compromised.

The lawsuit alleges UConn Health was negligent for failing to protect the private information of its patients there was a failure to provide timely, accurate, and adequate notification of the breach. The lawsuit explains there were major deficiencies in UConn Health’s security protocols, which allowed the breach to go undetected for months. According to the lawsuit, the first email accounts were breached in August 2018, but UConn Health only detected the breach in December 2018. It then took until February 25, 2019 for patients to be informed of the breach of their PHI.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

For four months the attackers had access to the accounts and could have viewed and stolen patient information. “UConn failed to recognize its systems had been breached and that intruders were stealing data on hundreds of thousands of current and former patients. Timely action by UCONN would likely have significantly reduced the consequences of the breach,” states the lawsuit.

The lawsuit also alleges security awareness training was inadequate and UConn Health did not teach employees how to identify a potential phishing email.

The lawsuit names Yoselin Martinez as the plaintiff and there are more than 100 putative class members who were similarly affected by the breach. The lawsuit seeks damages in excess of $5 million.

Yoselin Martinez was alerted to the breach on February 25, 2019 and checked her bank account and found that an unauthorized transaction had placed her in overdraft. She alleges the transaction was the result of the fraudulent use of her information that was stolen from UConn Health.

Plaintiffs are being represented by law firm Glancy, Prongay, & Murray LLP.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.