A former University of Iowa Community HomeCare staff member and a former patient filed a proposed class-action lawsuit against UI Community HomeCare and UI Community Medical Services, part of UI Health Care, alleging the organization was negligent during a March data breach, The Gazette reported Nov. 28.
Becky Kaefring and Kimberly Sullivan claim that a data breach at UI Community HomeCare on March 23, which affected more than 67,000 individuals, could have been avoided. According to the suit, the Iowa City, Iowa-based health system deliberately opted for "calculated decisions" to sidestep their data security responsibilities by employing inadequate and cost-cutting security measures.
The women are seeking a court mandate for the university entities to implement cybersecurity measures such as removing the private information of individuals within the class outlined in the lawsuit unless the university can provide a valid reason for retention.
They also request the engagement of independent auditors and internal staff to oversee security, conduct simulated attacks and initiate annual information security training programs for employees.
Executive Director Shane Sedenka told the news outlet that UI Community HomeCare utilizes a distinct EHR system from UIHC, but did not comment on the lawsuit.
"There is no indication that any UI Health Care protected health information was impacted as a result of UI Community HomeCare's security incident," Mr. Sedenka told the publication. "The privacy and security of patient information is a top priority, and we are confident that UI Community HomeCare's data security program is consistent with industry standards."