Healthcare company UnityPoint Health has agreed to settle with patients and employees who are affected by two data leaks that occurred in 2018, said Fierce Healthcare. The settlement, which amounts to $2.8 million, is in relation to the breaches back in 2017 and 2018.
UnityPoint Health, operating as Iowa Health System, will be settling with 1.4 million victims of the phishing attacks. The settlement will be composed of monetary and injunctive assistance, particularly credit monitoring and identity protection services for one year.
The settlement will also give a maximum of $1,000 reimbursement per victim. This is for expenditures they incurred for credit monitoring and identity protection services.
Court documents revealed that each victim will receive up to $6,000 for extraordinary expenses. Moreover, UnityPoint will be paying for legal costs including notice and claims administration with a maximum of $1.57 million.
The settlement has been filed and presented to the court and is undergoing review. To further address the issue, the company also pledged to improve its cybersecurity and data security systems.
Thousands of Patient Data Leaked
The source of this issue is the 2017 and 2018 attacks suffered by the company, its patients, and its employees.
The first breach was discovered in February 2018, but upon investigation, it was revealed that the malicious party has been accessing the database from November 2017 and February 7, 2018. However, the company informed the victims only in April.
The second breach occurred between March and April 2018. The hackers phished log in credentials by pretending to be a “trusted executive,” as per the Fierce Healthcare report. This appears to be the most immediate effect of the attack.
However, investigators deemed that the attack sought to “divert payroll or vendor payments.” The class-action lawsuit noted that victims were enlightened about the issue only in July.
Information that leaked due to the attack includes patient and employee names, contact details, dates of birth, social security numbers, driver’s license numbers, insurance information, and medical records.
It also covers medical providers, dates of services, laboratory results and diagnoses, and other medical information such as surgeries, medications, and treatments.
According to the complainants, the company “misrepresented the nature, breadth, scope, harm, and cost” of the security matter.
Meanwhile, a UnityPoint representative said in an email that the healthcare chain has taken the necessary steps “to reduce the likelihood of a similar incident occurring again.”