UnityPoint Health identified a data breach on February 15, 2018 which led to the compromise of 16,429 patients’ protected health information. It seems that the data breach happened as a result of the failure of a number of employees to spot phishing emails and responded on it. UnityPoint Health delivered data breach notification letters to all patients whose sensitive information was compromised 2 months after knowing about the incident, on or about April 16, 2018.
The breach notification letters sent to patients mentioned the disclosure of some of their health data. In April, a substitute breach notice was also published on the website of UnityPoint Health. It stated that the types of data that the attackers most likely accessed. The names of patients along with one or more of these information might have been viewed: dates of birth, medical record number, surgical data, laboratory results, diagnoses, treatment details, prescription drugs, service dates, providers and/or insurance plan details. The financial details or Social Security numbers of some patients might have been viewed.
UnityPoint Health additionally stated in the breach notification letters that no report was received which indicate the access, theft or misuse of their health information. Patients were cautioned to stay observant when going over their statement of account and pay attention to bogus or irregular activity. UnityPoint Health did not take the responsibility of safeguarding that patients against identity theft and fraudulence nor did the healthcare provider offer the patients any kind of credit monitoring and identity theft protection services. There was additionally no insurance policy that protected the patients from potential misuse of their information.
As a reaction to the data breach, lawyer Robert Teel submitted a class action lawsuit on Iowa Health Systems Inc, the firm that operates UnityPoint Health. The lead plaintiff in the lawsuit is Yvonne Mart Fox from Middletown, WI. Yvone charged UnityPoint Health of stalling the notification of the patients and regulators regarding the data breach. She also accused UnityPoint Health for misrepresenting the nature, scope, breadth, damage and cost of the breach.
Fox claims she endured sleep deprivation as a result of breach and faced anger everyday. She likewise claims that the she has been getting more automated phone calls to her mobile and landline phone in addition to promotional and spam emails ever since the breach and exposure of her contact details. Along with other class members, Fox is claiming for compensatory, punitive and other damages.
HIPAA mandates covered entities to send notification letters to patients and submit breach reports to the Department of Health and Human Services’ Office for Civil Rights within 60 days of knowing about the breach. Delaying two months before giving notifications may be looked at as violating the HIPAA Rules. Even if the sending of notification letters is within the time frame set by HIPAA, but in case the entity doesn’t comply with the condition to issue notifications “without unnecessary delay,” then the covered entity could still be seen as in violation and may be fined.