Lawsuit mulled in second UnityPoint Health data breach this year
An attorney who filed a class-action lawsuit against UnityPoint Health about a data breach discovered earlier this year is investigating additional action regarding a second security incident announced by the health system last week.
In the latest problem, UnityPoint Health notified 1.4 million patients, including 76,000 in Wisconsin, that their names, addresses and medical information — and, for some, driver’s license, Social Security and payment card or bank account numbers — may have been compromised.
The Iowa-based provider, which includes UnityPoint Health-Meriter in Madison, said emails disguised to seem like they came from an executive with the organization tricked employees into providing sign-in information, giving the attackers access to their accounts from March 14 to April 3.
UnityPoint Health said it discovered the problem May 31. Last week, the health system said it would offer free credit monitoring services for a year to people whose driver’s license or Social Security numbers were involved.
In April, UnityPoint Health notified 16,400 patients of a separate phishing attack, discovered in February and potentially involving data going back to November.
A class-action lawsuit filed in May in U.S. District Court in Madison named two patients affected by the first breach. It alleges UnityPoint Health delayed reporting the problem and falsely told patients no Social Security numbers were involved.
One of the patients, Yvonne Mart Fox, of Middleton, said in the lawsuit that she noticed an increase in robocalls and spam emails in early 2018.
She said she had experienced daily anger and sleep disruption as a result of the data breach, which makes it “feel like I’m having surgery in public.”
Robert Teel, the Seattle attorney who filed the lawsuit, said Monday that he is investigating the new breach. Fox and Grant Nesheim, of Mazomanie, the other patient named in the lawsuit, also received notice about the latest incident, Teel said.
UnityPoint Health said it has reset passwords for compromised accounts, conducted mandatory employee training about recognizing phishing emails and implemented multi-factor authentication in accessing systems, in an effort to prevent similar situations.
Patients who have questions or concerns can call 888-266-9285.