UnityPoint Health was presented a preliminary settlement for a class action lawsuit that contained an unusual provision. The medical breach settlement imposed no “global cap,” setting a concerning precedent in class action data breach lawsuits.
UnityPoint Health Medical Breach
Before discussing the medical breach settlement, it is important to understand the nature of the incidents that initiated the lawsuit. UnityPoint suffered two breaches, one in 2017 that affected 16,400 patients, and a second in 2018 that affected 1.4 million patients. Both of the breaches were the result of phishing attacks.
Phishing attacks occur when a hacker impersonates a trusted entity, sending emails or text messages to organization employees. These messages generally prompt recipients to click on a malicious link, that in turn allows hackers to access an organization’s network. Phishing attacks frequently target organizations working with protected health information (PHI), as the data obtained from these entities can be extremely valuable.
To prevent phishing attacks, it is essential to implement adequate security measures, and train employees on how to recognize phishing attempts. Since UnityPoint Health suffered two phishing attacks, it is likely that the organization failed to remedy their security gaps, or train employees, allowing a second, larger, medical breach to occur.
UnityPoint Medical Breach Settlement
Generally, a medical breach settlement will impose a global cap for victim claims. In the UnityPoint settlement, however, there is no cap. The case notes, “The monetary relief and credit monitoring services available to settlement class members are not subject to a global cap on settlement benefits – meaning that every settlement class member will be fully compensated for valid claims, independent of the aggregate amount of other claims submitted.”
The proposed $2.8 million settlement requires UnityPoint to offer one year of ID theft protection and credit monitoring services ($200/settlement class member). In addition, they must cover settlement members’ “ordinary expenses” (up to $1,000/settlement class member), ordinary expenses are the expenses settlement members incurred to address the security incidents. They must also pay for “extraordinary expenses” (up to $6,000/settlement class member), these are expenses for professional fees related to fraud or identity theft.
As part of the medical breach settlement, UnityPoint must also bolster their data and network security to prevent future incidents from occurring. “Organizations that agree to settlement terms that require increased data security safeguards following a data breach may be in a much better position to ward-off the possibility of harsh penalties from enforcement agencies as well as mitigate the risk of future class actions,” states privacy attorney David Holtzman.
Although UnityPoint has not yet accepted the terms of the settlement, it is clear that any settlement that is reached will prove to be extremely costly for the organization.