Class Action Lawsuit Filed Over UConn Health Phishing Attack

Share this article on:

A class action lawsuit has been proposed which seeks to recover damages for patients whose protected health information (PHI) was exposed in the UConn Health phishing attack that was discovered on December 24, 2018.

The lawsuit has been filed against the University of Connecticut and UConn Health and seeks damages, equitable, declaratory, and injunctive relief to prevent a recurrence of a data breach. A jury trial is being sought.

The email accounts of multiple employees were compromised as a result of the attack. In total, 326,000 UConn Health patients had some of their personal and health information exposed in the breach. Most of the individuals affected by the breach only had a limited amount of PHI exposed, although approximately 1,500 patients had their name, address, date of birth, and Social Security number, and some medical information compromised.

The lawsuit alleges UConn Health was negligent for failing to protect the private information of its patients there was a failure to provide timely, accurate, and adequate notification of the breach. The lawsuit explains there were major deficiencies in UConn Health’s security protocols, which allowed the breach to go undetected for months. According to the lawsuit, the first email accounts were breached in August 2018, but UConn Health only detected the breach in December 2018. It then took until February 25, 2019 for patients to be informed of the breach of their PHI.

For four months the attackers had access to the accounts and could have viewed and stolen patient information. “UConn failed to recognize its systems had been breached and that intruders were stealing data on hundreds of thousands of current and former patients. Timely action by UCONN would likely have significantly reduced the consequences of the breach,” states the lawsuit.

The lawsuit also alleges security awareness training was inadequate and UConn Health did not teach employees how to identify a potential phishing email.

The lawsuit names Yoselin Martinez as the plaintiff and there are more than 100 putative class members who were similarly affected by the breach. The lawsuit seeks damages in excess of $5 million.

Yoselin Martinez was alerted to the breach on February 25, 2019 and checked her bank account and found that an unauthorized transaction had placed her in overdraft. She alleges the transaction was the result of the fraudulent use of her information that was stolen from UConn Health.

Plaintiffs are being represented by law firm Glancy, Prongay, & Murray LLP.

Author: HIPAA Journal

Share This Post On