par John R. Fischer
, Senior Reporter | July 07, 2020
An Iowa-based healthcare system has settled a class-action lawsuit that could award thousands of patients in Wisconsin up to $7,000.
UnityPoint Health, which owns Meriter Health Services in Madison, agreed to a deal last month that would put to rest a case related to two separate data breaches that occurred in 2018, reported Kenosha News
“The parties have reached an agreement to settle a class action lawsuit related to 2018 phishing attacks that compromised the email accounts of certain UnityPoint Health employees,” Christine Zrostlik, senior media relations specialist at UnityPoint Health, told HCB News. “Since the phishing incidents occurred, UnityPoint Health notified affected parties in compliance with applicable law, conducted a full investigation and implemented a variety of safeguards to reduce the likelihood of a similar incident occurring again.”
The first incident potentially affected up to 16,400 patients, who were notified that their information may have been stolen. Following this, 1.4 million were notified of a second incident, including 76,000 in Wisconsin. Both were phishing attacks, in which dubious emails that appeared to have been sent from an executive within the organization tricked employees into providing their sign-on information, thereby giving the attackers access to their accounts, according to UnityPoint Health
Possible information compromised in both events included names of patients, addresses and medical information, as well as for some, driver’s licenses, social security numbers and payment card or bank account numbers.
The lawsuit names Yvonne Mart Fox, of Middleton, and Grant Nesheim, of Mazomanie, Wisconsin among the plaintiffs. Other named plaintiffs are from Illinois and Iowa. Fox says she was “harassed and inundated with unwanted, unsolicited and unlawful spam and phishing emails and auto-dialed calls from unscrupulous operators,” as a result of the breaches, while Nesheim was alerted to a fraudulent attempt to open an unauthorized credit card in his name. He also received a large number of robocalls that forced him to get a new number for work calls, according to the suit.
Plaintiffs with valid claims could see up to $1,000 for ordinary expenses and $6,000 for extraordinary expenses, as well as a year of credit monitoring and identity protection. UnityPoint Health had already promised to offer free credit monitoring for a year to those whose driver’s license or social security numbers were involved.
“UnityPoint Health values the protection of patient privacy and we continually evaluate and modify our security practices to further strengthen the privacy of our patients' personal health information,” said Zrostlik.
The suit was filed in the U.S. District Court in Madison.