[BreachExchange] Data Breach Settlement Has an Unusual Provision

[Destry Winant]

https://www.databreachtoday.com/data-breach-settlement-has-unusual-provision-a-14523

A preliminary settlement of a class action data breach lawsuit against
Iowa Health System - which does business as UnityPoint Health -
contains an extraordinary provision that could prove quite costly.

Unlike settlements in most other data breach class action lawsuits,
this one does not contain a "global cap" on the total amount of claims
to be paid to victims.

By comparison, a 2019 settlement in a lawsuit against Banner Health in
the wake of a 2016 health and financial information breach affecting
2.9 million individuals capped reimbursement of victims' expenses at
$6 million.

The UnityPoint settlement is tied to two phishing incidents - one in
2017 affecting about 16,400 patients and employees and another in 2018
impacting 1.4 million. The 2018 attack was the second biggest health
data breach reported to the Department of Health and Human Services in
2018, according to HHS Office of Civil Rights' HIPAA Breach Reporting
Tool.

No 'Global Cap'

Settlement documents in the UnityPoint Health case note: "The monetary
relief and credit monitoring services available to settlement class
members are not subject to a global cap on settlement benefits -
meaning that every settlement class member will be fully compensated
for valid claims, independent of the aggregate amount of other claims
submitted."

Independent privacy and security attorney Paul Hales, who was not
involved in the lawsuit, notes: "The potential uncapped costs to
UnityPoint Health are breathtaking. The class consists of more than
1.4 million members. Each is entitled to up to $1,000 for documented
out-of-pocket 'ordinary expenses' related to the data breaches and up
to $6,000 for 'extraordinary expenses' including out-of-pocket
expenses and additional lost time spent resolving documented
extraordinary losses.

"Do the math. The settlement is especially significant because the
final settlement amount is not subject to a global cap. Each class
member must be fully compensated for valid claims up to the individual
limits on ordinary and extraordinary expenses."

Hales says he had been watching the UnityPoint case and expected a
settlement, "but not one of the magnitude" of the proposed order.

"UnityPoint Health must have felt pressure to settle after a July 25,
2019 order in the case. The trial judge ruled, 'Plaintiffs have
plausibly alleged injuries that can be linked to this [breached]
information'," he says. In addition, Hales points out, the judge also
ruled: "In this case, plaintiff(s) have alleged facts sufficient to
establish an objectively reasonable likelihood of future identity
theft."

Settlement Details

Under the terms of the proposed settlement, UnityPoint will provide
one year of comprehensive credit monitoring and ID theft protection
services with a retail value of about $200 per settlement class
member.

The proposed settlement document notes that "given a class size of
approximately 1.4 million individuals, this is an enormous benefit,
amounting to millions of dollars of value to settlement class
members."

UnityPoint also will pay 100% of all "ordinary expenses" up to $1,000
for each person affected by the breaches. That includes documented
out-of-pocket expenses related to the data breaches, including up to a
total of $45 ($15 per hour for three hours) for time lost dealing with
the aftermath of the security incidents.

The settlement also provides for reimbursement of "extraordinary
expenses" of up to $6,000 per victim. Examples of these expenses
include professional fees and other costs incurred to address identity
theft or fraud.

Under the case's most recent amended complaint filed in August 2018,
the plaintiffs allege that UnityPoint neglected its duty to safeguard
their PHI and PII as required under various federal and state laws;
violated various state breach notification laws; and knowingly made
deceptive representations of its data security policies and practices
in its privacy statements and elsewhere.

The amended complaint included several examples of plaintiffs who
alleged they had been victims of identity theft or fraud incidents
following the UnityPoint data breaches. Those incidents include
alleged attempts by fraudsters to open credit card accounts using a
victim's identity and the discovery of a plaintiff's information on a
darknet website.

Attorneys representing UnityPoint did not immediately respond to
Information Security Media Group's request for comment, and an
attorney representing the plaintiffs declined ISMG's request for
comment.

Improving Data Security

The preliminary settlement also calls for UnityPoint Health to improve
its network and data security to address vulnerabilities and safeguard
patient data.

The details of steps that UnityPoint must take to improve its security
were redacted from the preliminary settlement document, and a related
exhibit document was sealed by court.

Provisions in data breach class action lawsuit settlements that call
for the breached entity to improve its security programs are
increasingly common.

For instance, in 2018, the $115 million settlement in a consolidated
class action lawsuit against Anthem in the wake of a 2015 cyberattack
affecting nearly 79 million individuals, called for the health insurer
to triple its cybersecurity budget.

"Federal Trade Commission enforcement actions that impose mandates on
businesses in the event of a breach of consumer privacy and data
security could be responsible for the trend we are seeing in class
action lawsuits in requiring organizations to beef up data protection
safeguards," notes privacy attorney David Holtzman of the privacy and
security consulting firm CynergisTek.

"Organizations that agree to settlement terms that require increased
data security safeguards following a data breach may be in a much
better position to ward-off the possibility of harsh penalties from
enforcement agencies as well as mitigate the risk of future class
actions," he says.

Sources say the UnityPoint settlement could be finalized in the court
by the end of this year.