Federal Judge Partially Dismissed UnityPoint Health Data Breach Lawsuit

The US District Court for the Western District of Wisconsin has partially dismissed the class-action data breach lawsuit against UnityPoint Health.

The lawsuit came about because of a phishing attack on UnityPoint Health that happened in February 2018. Because employees responded to the phishing emails received, the attackers had accessed email accounts that contain 16,429 patients’ protected health information (PHI).

According to the breach investigation results, the attackers first gained access to patient data on November 1, 2017 up to February 7, 2018. The compromised email accounts contained these types of PHI: names, contact details, diagnoses, prescribed medicines, laboratory test results, and surgical details. The driver’s license number and/or Social Security number of a number of patients were also exposed.

A month after the announced data breach, four patients filed a legal case against UnityPoint Health alleging the mishandling of the incident by the health provider. The lawsuit likewise alleged that UnityPoint Health unnecessarily delayed the issuance of breach notification letters to patients for two months, which violates the HIPAA Breach Notification Rule.

Additionally, the plaintiffs claim that the provider extended too little help to the breach victims. There was no complimentary credit monitoring and identity theft protection services offered because UnityPoint Health believes that Social Security numbers were not exposed. The lawsuit states there was Social Security numbers exposure and a number of patients reported receiving more robocalls right after the attack. The plaintiffs additionally contended that UnityPoint Health did not pay patients for their out-of-pocket expenditures sustained due to the breach.

The District Court Judge made a decision to dismiss some claims but have allowed others to continue. The lawsuit alleged there was an intrusion of privacy, misrepresentation, and violations of consumer fraud statutes and state data breach notification law. The judge dismissed all of those claims.

The plaintiffs are allowed to go after violations of Wisconsin’s confidentiality statute for healthcare records and negligence claims with regard to negligence per se. However, there was a dismissal of those negligence claims in Iowa and Illinois. The covenant of good faith claims, breach of contract claim, fair dealing claims and unjust enrichment were likewise allowed to continue.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone