[BreachExchange] UnityPoint agrees to $2.8 million data breach settlement

Destry Winant destry at riskbasedsecurity.com
Tue Jun 30 10:34:00 EDT 2020


Iowa Health System, which does business as UnityPoint Health, has
reached a settlement over two data breaches at the health system,
which had collectively compromised data on more than 1 million
patients and employees, according to court documents filed last week.

The plaintiffs in the case filed the motion for preliminary approval
of a settlement to end a proposed class action over the 2017 and 2018
cyberattacks in federal court in Wisconsin.

Under the deal, an estimated 1.4 million people who UnityPoint Health
notified after the data breaches would be able to request
reimbursement for expenses from the incidents. Each class member's
reimbursement is capped at $1,000 for ordinary expenses—such as costs
associated with credit freezes, credit monitoring services and up to
three hours of time lost responding to the incident—and $6,000 for
extraordinary expenses.

Extraordinary expenses could include costs incurred addressing
identity fraud and up to 10 additional hours of time lost, according
to the proposed settlement agreement.

The agreement does not include an overall cap on monetary relief for
class members.

"This is a significant benefit as compared to other settlements, in
which individual class member recovery is subject to pro rata
reduction if the aggregate amount of claims exceeds a global cap or
other limit," the documents read.

UnityPoint Health also agreed to provide people affected by the data
breaches with one year of credit monitoring services, including up to
$1 million reimbursement insurance to cover losses due to identity
theft and services to notify a class member if such information as
Social Security numbers or credit card numbers are found on the dark

The credit monitoring and identity theft protection services for the
settlement class are valued at approximately $2.8 million, according
to court documents.

In addition, UnityPoint Health will pay attorneys' fees and expenses
incurred by the plaintiffs, not to exceed $1.575 million.

The settlement resolves a proposed class action over two data
breaches, both of which involved email phishing scams.

UnityPoint Health in April 2018 reported that hackers had breached
16,429 people's information through an email phishing attack.
UnityPoint Health discovered the data breach in February 2018, but the
hackers' access to employee email accounts had occurred as early as
November 2017, according to the plaintiffs.

In July 2018, UnityPoint Health reported a second data breach, also
involving hackers accessing employee email accounts. The data breach,
which began in March 2018, compromised data from approximately 1.4
million patients and employees. UnityPoint Health discovered the data
breach in May 2018.

In an emailed statement, a UnityPoint Health spokesperson said the
health system has conducted full investigations into the data breaches
and implemented "a variety of safeguards to reduce the likelihood of a
similar incident occurring again."

"UnityPoint Health values the protection of patient privacy and we
continually evaluate and modify our security practices to further
strengthen the privacy of our patients' personal health information,"
the spokesperson said.

More information about the BreachExchange mailing list