Thousands of Wisconsin patients could get up to $7,000 and a year of credit monitoring and identity protection in a settlement of a class-action lawsuit against UnityPoint Health over data breaches.
The settlement last week with Iowa-based UnityPoint Health, which owns Meriter Health Services in Madison, involves two data breaches in 2018.
Patients were told their names, addresses and medical information — and, for some, driver’s license, Social Security and payment card or bank account numbers — may have been compromised.
In the first incident, notices were sent to 16,400 patients saying their information might have been stolen. In the second, 1.4 million people were notified, including 76,000 in Wisconsin.
Plaintiffs named in the lawsuit include Yvonne Mart Fox, of Middleton, and Grant Nesheim, of Mazomanie. Other named plaintiffs are from Illinois and Iowa.
According to the settlement, patients with valid claims can get up to $1,000 for ordinary expenses and $6,000 for extraordinary expenses, along with a year of credit monitoring and identity protection. UnityPoint Health is also required to “address the vulnerabilities” that resulted in the breaches.
“I conclude that the Settlement provides exceptional results for Settlement Class members, while sparing Settlement Class members from the uncertainties of continued and protracted litigation,” wrote Cari Campen Laufenberg, an attorney for the plaintiffs.
UnityPoint Health said the incidents stemmed from phishing attacks. Emails disguised to appear like they came from an executive with the organization tricked employees into providing sign-in information, giving the attackers access to their accounts, UnityPoint Health said.
“Since the phishing incidents occurred, UnityPoint Health notified affected parties in compliance with applicable law, conducted a full investigation and implemented a variety of safeguards to reduce the likelihood of a similar incident occurring again,” spokeswoman Christine Zrostlik said Monday in a statement.
UnityPoint Health had already said it would offer free credit monitoring for a year to people whose driver’s license or Social Security numbers were involved.
According to the lawsuit, filed in U.S. District Court in Madison, Fox was “harassed and inundated with unwanted, unsolicited and unlawful spam and phishing emails and auto-dialed calls from unscrupulous operators.”
Nesheim learned there had been a fraudulent attempt to open an unauthorized credit card in his name, the lawsuit said. He was so inundated with robocalls that he had to take on a new number for work calls, the lawsuit said.
The business news you need
With a weekly newsletter looking back at local history.