UnityPoint Health Data Breach Lawsuit Partly Dismissed by Federal Judge

The Western District of Wisconsin US District Court has partly dismissed the class-action data breach lawsuit that UnityPoint Health is facing.

In February 2018, employees of UnityPoint Health received phishing emails and responded to them. As a result, the attackers were able to access the employees’ email accounts, which contained the protected health information (PHI) of 16,429 patients. This phishing attack on UnityPoint Health is the reason why the lawsuit was filed against UnityPoint Health.

The breach investigation results revealed that the attackers got access to patient information first on November 1, 2017 until February 7, 2018. The following types of PHI were potentially compromised: names, contact information, diagnoses, laboratory test results, operations details, and prescribed medicines. Some patients also had their driver’s license number and/or Social Security number exposed.

One month after the data breach was announced, four patients took the initiative to file suit against UnityPoint Health for allegedly not responding to the incident appropriately. The lawsuit furthermore alleged that the sending of breach notification letters was delayed by two months. This clearly is a violation of the HIPAA Breach Notification Rule.

The plaintiffs also claim that UnityPoint Health lacked in extending help to the victims of the breach. Just because UnityPoint Health thinks that there was no exposure of Social Security numbers, it did not offer free credit monitoring and identity theft protection services. The lawsuit alleges that Social Security numbers were exposed. In fact, some patients had reported getting robocalls following the breach. The plaintiffs also stated that aside from paying for the credit monitoring services. the company should also pay the patients for the money they had to spend because of the breach.

The District Court Judge decided to dismiss a number of claims but retained others. The judge dismissed the claims of privacy intrusion, misrepresentation, and violation of data breach notification law and consumer fraud laws.

The plaintiffs are likewise permitted to go after violations of Wisconsin’s confidentiality statute for healthcare records and negligence claims. Nevertheless, those claims were dismissed in Iowa and Illinois. The claims that were not dismissed include the breach of contract claim, fair dealing claims, unjust enrichment and covenant of good faith claims.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA