West Des Moines, Iowa-based UnityPoint Health agreed to settle a proposed class action lawsuit related to two cybersecurity issues that compromised patient information, according to Law360.
Six things to know:
1. The health system reported an initial phishing attack that began in November 2017 and reported in February 2018. The second data breach occurred likely in March 2018 and was discovered in May. The health system notified affected individuals of the first data breach around April 17, 2018 and the second data breach around Aug. 2, 2018.
2. The first phishing attack compromised 16,429 patients' information and the second breach potentially affected 1.4 million individuals. After the breaches, the health system implemented two-factor authentication to prevent future attacks.
3. The class action lawsuit alleges the health system didn't notify patients of the breach in a timely manner and told patients Social Security numbers weren't compromised, but they were.
4. UnityPoint Health agreed to a minimum of $2.8 million settlement on June 26, covering monitoring expenses. The settlement also allows for up to $1,000 per person in ordinary expenses and up to $6,000 in extraordinary expenses per person.
5. The settlement allows those affected to defer credit monitoring for a year and a default payment of time spent for $15 per hour for up to three hours per person.
6. There is not a global cap on settlement benefits, so all members of the settlement class can obtain full compensation for valid claims.