Federal Judge Partially Dismissed UnityPoint Health Data Breach Lawsuit

The US District Court for the Western District of Wisconsin has partially dismissed the class-action data breach lawsuit against UnityPoint Health.

The lawsuit came about because of a phishing attack on UnityPoint Health that happened in February 2018. Because employees responded to the phishing emails received, the attackers had accessed email accounts that contain 16,429 patients’ protected health information (PHI).

According to the breach investigation results, the attackers first gained access to patient data on November 1, 2017 up to February 7, 2018. The compromised email accounts contained these types of PHI: names, contact details, diagnoses, prescribed medicines, laboratory test results, and surgical details. The driver’s license number and/or Social Security number of a number of patients were also exposed.

A month after the announced data breach, four patients filed a legal case against UnityPoint Health alleging the mishandling of the incident by the health provider. The lawsuit likewise alleged that UnityPoint Health unnecessarily delayed the issuance of breach notification letters to patients for two months, which violates the HIPAA Breach Notification Rule.

Additionally, the plaintiffs claim that the provider extended too little help to the breach victims. There was no complimentary credit monitoring and identity theft protection services offered because UnityPoint Health believes that Social Security numbers were not exposed. The lawsuit states there was Social Security numbers exposure and a number of patients reported receiving more robocalls right after the attack. The plaintiffs additionally contended that UnityPoint Health did not pay patients for their out-of-pocket expenditures sustained due to the breach.

The District Court Judge made a decision to dismiss some claims but have allowed others to continue. The lawsuit alleged there was an intrusion of privacy, misrepresentation, and violations of consumer fraud statutes and state data breach notification law. The judge dismissed all of those claims.

The plaintiffs are allowed to go after violations of Wisconsin’s confidentiality statute for healthcare records and negligence claims with regard to negligence per se. However, there was a dismissal of those negligence claims in Iowa and Illinois. The covenant of good faith claims, breach of contract claim, fair dealing claims and unjust enrichment were likewise allowed to continue.