UnityPoint Health has reached a $2.8 million settlement with patients and employees impacted by two data breaches at the health system.
Phishing attacks that occurred in 2017 and 2018 at the health system compromised data on more than 1 million individuals, including patients' protected health information.
The settlement will provide the 1.4 million breach victims with monetary and injunctive relief, including one year of credit monitoring and identity theft protection services, and will reimburse expenses up to $1,000 per settlement class member for costs incurred by credit monitoring and identity theft protection services, according to court documents filed last week.
According to the settlement, the $2.8 million will also go toward the reimbursement of extraordinary expenses of up to $6,000 per impacted patient.
Iowa Health System, doing business as UnityPoint Health, also made commitments to improve its network and data security measures, according to the proposed settlement.
The health system must also separately pay all costs of both notice and claims administration and plaintiffs' attorneys’ fees in an amount not to exceed $1.57 million.
The settlement has been presented to the court for review and approval.
UnityPoint Health operates a network of hospitals, clinics, home care services and health insurers throughout Wisconsin, Iowa and Illinois.
In April 2018, the health system notified more than 16,400 patients that their information may have been compromised in a phishing attack.
Patients impacted by the data breaches filed a class-action lawsuit against UnityPoint in 2018, alleging the health system delayed reporting the incident and falsely informed patients that the data breach did not include their Social Security numbers.
According to the plaintiffs, the first breach was discovered on Feb. 15, 2018, but hackers had access to information between Nov. 1, 2017, and Feb. 7, 2018. UnityPoint Health did not notify impacted patients until April, the plaintiffs argued.
The health system discovered a larger breach in May 2018, in which hackers accessed employee accounts between March 14 and April 3. The attackers posed as a trusted executive and tricked employees into turning over confidential sign-in information. But investigators believe the attackers were primarily focused on using the email system to “divert payroll or vendor payments," according to a letter from the health system at the time of the breach.
Hackers gained access to the internal email system for nearly a month, and patients began receiving notifications about the security incident in July 2018, according to the class-action lawsuit.
UnityPoint Health "misrepresented the nature, breadth, scope, harm, and cost" of the breach, the plaintiffs said.
The information allegedly accessed during the breaches include UnityPoint patient and employee names, addresses, email addresses, telephone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers and insurance information as well as medical information such as providers, dates of service, lab results, diagnoses, medications, surgeries and other treatments, according to the lawsuit.
In July 2019, a judge in the U.S. District Court for the Western District of Wisconsin ruled to partially dismiss some of the claims purported in the lawsuit but also ruled that some claims could continue.
In a statement sent via email from a UnityPoint Health representative, health system officials said, "Since the phishing incidents occurred, UnityPoint Health notified affected parties in compliance with applicable law, conducted a full investigation, and implemented a variety of safeguards to reduce the likelihood of a similar incident occurring again."
"UnityPoint Health values the protection of patient privacy and we continually evaluate and modify our security practices to further strengthen the privacy of our patients' personal health information," the health system said.