Iowa Community HomeCare Sued Over March 2023 Ransomware Attack
UI Community HomeCare and UI Community Medical Services, which are subsidiaries of University of Iowa (UI) Health Care, are being sued by a former employee and a patient over a March 2023 ransomware attack and data breach. The data breach was disclosed by IU Health Care in May 2023, but occurred in March 2023 and affected its subsidiaries. Iowa Community HomeCare discovered the security breach on March 23, 2023, when files on its network were encrypted. The investigation confirmed there had been unauthorized access to files containing sensitive data on March 23, 2023.
Personal and protected health information was exposed, and potentially stolen, such as names, birthdates, addresses, phone numbers, medical record numbers, referring physician names, dates of service, health insurance information, billing and claims information, medical history information, and diagnosis/treatment information. At the time of issuing notifications, Iowa Community HomeCare had identified no attempted or actual misuse of the stolen data. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 67,897 individuals.
The lawsuit was filed against UI Community HomeCare and UI Community Medical Services and claims the attack and data breach could have been prevented if the defendants had implemented appropriate security measures. While security measures had been implemented, the lawsuit alleges the defendants willfully avoided their data security obligations at the expense of plaintiffs and class members by utilizing cheaper, ineffective security measures.
The defendants are also alleged to have failed to disclose to patients that substandard cybersecurity measures were in place and vulnerabilities had not been addressed, which led the plaintiffs and class members to believe their sensitive information would be adequately protected when making decisions about purchasing and availing of the defendants’ services. As such, the plaintiffs claim that the defendants’ profits, benefits, and other compensation were obtained improperly and that the defendants are not legally entitled to retail any of the benefits, compensation, or profits realized from their transactions.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit names Becky Kaefring and Kimberly Sullivan as plaintiffs. Kaefring worked for UI Community HomeCare between 2003 and 2019 and Sullivan’s child received health care services from UI Community HomeCare. The plaintiffs allege they have suffered injuries as a result of the data breach including lost time, annoyance, interference, inconvenience, and anxiety about the exposure of their sensitive data, and that they are faced with the burden of having to closely monitor for identity theft and fraud for years to come.
Kaefring alleges negligence, negligence per se, breach of implied contract, unjust enrichment, invasion of privacy, and breach of fiduciary duty and Sullivan alleges negligence, breach of implied contract, breach of implied covenant of good faith and fair dealing, and unjust enrichment. The lawsuit seeks class action certification, damages, a refund, and injunctive relief, including an order from the court compelling the defendant to make substantial improvements to security.
