UnityPoint Health could be sued for data breach affecting 1.4M

UnityPoint Health in West Des Moines, Iowa, could face a class-action lawsuit over a recent data breach that affected 1.4 million patients, according to the Wisconsin State Journal.

This would mark the second class-action lawsuit against the system since May. The first complaint involved an email phishing attack, which compromised 16,429 patients' protected health information in February. It alleged UnityPoint Health failed to notify patients in a timely matter and falsely told affected patients no Social Security numbers were compromised. The attorney who filed that suit is investigating whether the most recent breach would warrant a separate action. 

The latest breach involves a separate phishing attack that compromised patients' names, addresses and medical information, as well as a limited number of driver's license, Social Security, and payment card or bank account numbers. The breach was discovered May 31, and UnityPoint notified the 1.4 million individuals July 30.

The health system told the Wisconsin State Journal that the phishing emails in the latest attack appeared to be sent from an executive within the organization, which tricked some employees into sharing their sign-in information. Hackers had access to an undisclosed number of email accounts from March 14 to April 3.

UnityPoint has reset the passwords for the compromised accounts and implemented two-factor authentication to prevent similar situations, according to health system officials. Employees have also undergone mandatory training on how to spot a phishing attack.

Editor's Note: This article was updated Aug. 7, 2018 at 1 p.m. to clarify that the second lawsuit against UnityPoint has not yet been filed. The attorney is considering whether to file a separate action at this time. 

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars