UnityPoint Health, which operates Meriter Hospital in Madison, delayed reporting a data breach and falsely told patients that information stolen during the breach did not include their Social Security numbers, according to a federal class-action lawsuit filed Friday.
The lawsuit, filed in U.S. District Court in Madison, concerns a reported data breach discovered by UnityPoint in February that may have compromised patient data as far back as Nov. 1. The lawsuit states the breach was the result of a “phishing attack” of employee email accounts that compromised the protected health information of at least 16,429 people.
UnityPoint notified patients in mid-April of the breach, but the lawsuit states that UnityPoint “misrepresented the nature, breadth, scope, harm, and cost of the privacy breach” when it claimed “the (stolen) information did not include your Social Privacy number” and that it had “no information to date indicating that your protected health information involved in this incident was or will be used for any unintended purposes.”
The lawsuit accuses UnityPoint of waiting for more than two months after the breach was discovered before notifying the public and regulators.
UnityPoint, based in Iowa, declined to comment.
One of those affected by the breach, Yvonne Mart Fox, of Middleton, the lead plaintiff, states in the lawsuit that she has experienced daily anger and sleep disruption as a result of the data breach, which makes it “feel like I’m having surgery in public.”
Fox began to notice in early 2018 an increase in the number of robocalls on her cellphone and landline, along with spam emails, that bothered her with unsolicited marketing contacts.
After receiving UnityPoint’s letter about the data breach in April, Fox spoke with a UnityPoint employee and was told repeatedly that she “should take steps to protect her information.”
Fox did not get a straight answer when asked whether UnityPoint would pay for any of those precautionary measures, the lawsuit states. Subsequent contacts with UnityPoint didn’t gain her any more information, just others telling her, “We are sorry, please take precautions to protect your information.”
UnityPoint finally told Fox it would take no further remedial action or provide further help or compensation, the lawsuit states.
The lawsuit seeks compensatory, punitive and other damages from UnityPoint along with restitution to patients, among several other demands.
The lawsuit characterizes personal health information as “one of the most valuable commodities on the criminal information black market,” worth 10 times the value of personal credit card data because it can be easily used to buy and re-sell medical equipment and drugs, create fake identification and file false claims with insurers.
Be the first to know
Get local news delivered to your inbox!