- UnityPoint Health delayed reporting a healthcare data breach, incorrectly told affected patients that their Social Security numbers were not part of the breach, and declined to compensate victims for damage to their credit from the breach, charged a federal class action lawsuit filed May 4, according to a report by the Wisconsin State Journal.
In April, UnityPoint admitted that a phishing attack compromised employee accounts and led to the exposure of PHI of 16,429 patients. The company said it discovered the breach on February 15 and determined that the breach occurred between November 1, 2017, and February 7, 2018. It began notifying patients on April 16.
The information that may have been compromised included dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service, and insurance information. It noted that for a “limited number of impacted individuals,” their Social Security number may have been exposed.
“To date, we are not aware of any reports of identity fraud, theft, or improper use of information as a direct result of this incident,” UnityPoint said. The healthcare provider did not offer affected patients free credit monitoring services. Instead, it advised affected patients to “take precautionary measures to protect their health information” and “to remain vigilant in reviewing account statements for fraudulent or irregular activity on a regular basis.”
The lawsuit, filed in US District Court in Madison, Wisconsin, argued that Iowa-based UnityPoint, which operates Meriter Hospital in Madison, waited more than two months after the breach was discovered before notifying the public and regulators, The HIPAA Breach Notification Rule requires covered entities to report PHI data breaches affecting 500 individuals or more within 60 days of discovery.
UnityPoint “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach” when it claimed the exposed “information did not include your Social Privacy number” and that it had “no information to date indicating that your protected health information involved in this incident was or will be used for any unintended purposes,” according to the lawsuit as reported by the newspaper.
The lead plaintiff, Yvonne Mart Fox of Middleton, Wisconsin, said that she began noticing an increase in the number of robocalls on her cellphone and landline and spam emails in early 2018. She said that she has experienced daily anger and sleep disruption because of the data breach.
After receiving UnityPoint’s letter, she called the company and was told to take steps to protect her information. She asked if UnityPoint would pay for any of those steps but did not get an answer. After a number of calls, UnityPoint said that no further remedial action or provide compensation.
Fox’s attorney, Robert Teel, said that UnityPoint should have provided free credit monitoring services to the victims.
In other instances, hospitals have simply stepped up. Other financial institutions who have suffered a data breach have simply stepped up and bought the credit monitoring service as well as the identity theft insurance. So at a minimum, I believe those are the steps UnityPoint should step up and do,” Teel told Madison TV station WKOW.
“Our hope is that again they’ll step up and recognize that this is not the patients burden to try to protect the confidentiality of their records. It's the healthcare institution's legal obligation to do so. So, simply telling them they should take precautionary measures is just blame shifting,” Teel said.
The attorney also objected to UnityPoint’s statement that it was not aware of any misuse of the exposed PHI. “Why do you think criminals acquire these records? They don't do it for fun. It's well known in the industry that medical records are used for criminal activity,” he said.
The lawsuit is seeking compensatory, punitive, and other damages from UnityPoint along with restitution to affected patients. UnityPoint did not respond to HealthITSecurity.com for a comment on the lawsuit.