UnityPoint Health Data Breach Lawsuit Partially Dismissed by Federal Judge

A class-action data breach lawsuit filed against UnityPoint Health has been partially dismissed by the US District Court for the Western District of Wisconsin.

The lawsuit stems from a phishing attack on UnityPoint Health in February 2018. As a result of employees falling for phishing emails, the attackers were able to gain access to email accounts containing the protected health information (PHI) of 16,429 patients.

The investigation into the breach showed access to patient data was first gained on November 1, 2017 and further email accounts were compromised up to February 7, 2018. The types of PHI in the compromised email accounts included names, contact information, diagnoses, medications, lab test results, and surgical information. Some patients also had their driver’s license number and/or Social Security number exposed.

One month after the data breach was announced, four patients filed a lawsuit against UnityPoint Health claiming the company had mishandled the breach. The lawsuit also alleged UnityPoint Health had unnecessarily delayed the issuing of breach notification letters for two months, in violation of HIPAA Breach Notification Rule requirements.

Further, the plaintiffs allege that too little was done to help victims of the breach. Breach victims were not offered complimentary credit monitoring and identity theft protection services as UnityPoint Health did not believe that Social Security numbers had been exposed. The lawsuit alleges Social Security numbers were exposed and that several patients had reported an increase in robocalls following the attack. The plaintiffs also argued that UnityPoint Health chose not to compensate patients for out-of-pocket expenses incurred as a result of the breach.

The District Court Judge dismissed certain claims but some have been allowed to proceed. The lawsuit claimed there had been an invasion of privacy, misrepresentation, and violations of the state data breach notification statute and consumer fraud statutes. All of those claims were dismissed by the judge.

The plaintiffs are permitted to pursue negligence claims for negligence per se and violations of Wisconsin’s confidentiality statute for healthcare records, but those negligence claims were dismissed in Iowa and Illinois. The breach of contract claim, covenant of good faith claims, unjust enrichment, and fair dealing claims have also been allowed to proceed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.