A recent decision against UnityPoint Health was made where no ‘global cap’ was put in place with regard to settlement claims. These claims against UnityPoint Health stem from data breaches that were a result of two phishing incidents. The class of 1.4 million members are entitled to (up to) $1,000 for their documented ‘ordinary expenses’ that came out of pocket, and up to $6,000 for ‘extraordinary expenses’ like time lost and spent resolving issues. Documentation is required for both.
In 2017 and 2018, Iowa Health Systems, which does business as UnityPoint Health, was the target of phishing campaigns by hackers. The first incident was reported in April of 2018 when several employees fell for the phishing bait. 16,000 patients had their data exposed from about November 2017 through February of 2018 from that attack. A much larger breach happened in late May of 2018. The email appeared to be from a UnityPoint executive, and several employees fell for the scam.
This resulted in access to the internal email system for about a month in the spring of 2018. The emails contained protected health information (PHI) that included driver’s license details and social security numbers. Patients were not notified until July 2018, and those affected soon filed a class-action lawsuit.
The lawsuit implied that UnityPoint went beyond the HIPAA-required 60-day notification limit and did not clearly identify the severity of the breach. There was also an issue with UnityPoint’s statement claiming that “no information to date indicating that your protected health information involved in this incident was or will be used for any unintended purposes” – which was not the truth.
At the onset, UnityPoint should have at least offered credit monitoring services, and did not. Instead, they moved to dismiss the lawsuit. What they ended up with was a $2.8 million settlement which will go to the victims as outlined above.
UnityPoint is also required to make additional detailed changes to improve its network and data security practices and measures to address the gaps that exposed them to these breaches. This point should be underlined as we look at our own businesses and their risk of a breach. A solid cybersecurity plan does not just respond to an attack. You must first look at the business as a whole and that includes where HIPAA and cybersecurity overlap. Once you see the whole picture, assess the risks and weak links, then devise a plan to fix those areas and create an ongoing plan to educate and inform employees of the EVERYDAY risk that they face as an entry point for hackers. These risks are constantly changing, so your education must meet those changes as well.
The cost of a breach can be debilitating to any business and if you are not looking at your risk of exposure, you are putting every employee and patient in danger. Danger from identity theft and danger of job loss.
Two emails cost UnityHealth Point millions of dollars. Two emails. Are you doing all that you can to protect your healthcare community?
We are a proud partner of HIPAA Secure Now!, a company of HIPAA experts dedicated to helping medical entities stay compliant and keeping their data safe.
Thank you HIPAA Secure Now! (www.HIPAAsecurenow.com) for the contents of this article.
Want more cybersecurity tips to help keep your business safe & secure? Sign up for our email newsletter and have new articles & tips delivered straight to your inbox monthly.