Limitless Liability

By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author

A year of credit monitoring along with identity theft monitoring services. That’s what most of us settle for when we find out that our personal data has been compromised. We are alerted, we change our password, we read the letter that offers these services and may or may not sign up for them.

Some individuals will pursue additional legal action and proceed by taking the company that was responsible for the breach to court for monetary compensation, and some will not pay attention at all.

A recent decision against UnityPoint Health was made where no ‘global cap’ was put in place with regard to settlement claims. These claims against UnityPoint Health stem from data breaches that were a result of two phishing incidents. The class of 1.4 million members are entitled to (up to) $1,000 for their documented ‘ordinary expenses’ that came out of pocket, and up to $6,000 for ‘extraordinary expenses’ like time lost and spent resolving issues. Documentation is required for both.

The Details
In 2017 and 2018, Iowa Health Systems, which does business as UnityPoint Health, was the target of phishing campaigns by hackers. The first incident was reported in April of 2018 when several employees fell for the phishing bait. 16,000 patients had their data exposed from about November 2017 through February of 2018 from that attack. A much larger breach happened in late May of 2018. The email appeared to be from a UnityPoint executive, and several employees fell for the scam.

This resulted in access to the internal email system for about a month in the spring of 2018. The emails contained protected health information (PHI) that included driver’s license details and social security numbers. Patients were not notified until July 2018, and those affected soon filed a class-action lawsuit.

The lawsuit implied that UnityPoint went beyond the HIPAA-required 60-day notification limit and did not clearly identify the severity of the breach. There was also an issue with UnityPoint’s statement claiming that “no information to date indicating that your protected health information involved in this incident was or will be used for any unintended purposes” – which was not the truth.

At the onset, UnityPoint should have at least offered credit monitoring services, and did not. Instead, they moved to dismiss the lawsuit. What they ended up with was a $2.8 million settlement which will go to the victims as outlined above.

Ongoing Resolution
UnityPoint is also required to make additional detailed changes to improve its network and data security practices and measures to address the gaps that exposed them to these breaches. This point should be underlined as we look at our own businesses and their risk of a breach. A solid cybersecurity plan does not just respond to an attack. You must first look at the business as a whole and that includes where HIPAA and cybersecurity overlap. Once you see the whole picture, assess the risks and weak links, then devise a plan to fix those areas and create an ongoing plan to educate and inform employees of the EVERYDAY risk that they face as an entry point for hackers. These risks are constantly changing, so your education must meet those changes as well.

The cost of a breach can be debilitating to any business and if you are not looking at your risk of exposure, you are putting every employee and patient in danger. Danger from identity theft and danger of job loss.

Two emails cost UnityHealth Point millions of dollars. Two emails. Are you doing all that you can to protect your healthcare community?

This article was originally published on HIPAA Secure Now! and is republished here with permission. HIPAA Secure Now offers annual online subscriptions to help covered entities and business associates keep up with compliance. Learn more here.

HIPAA Secure Now! now offers PHIshMD training for CEs and BAs to help protect your organization from security threats.

Technology safeguards put a virtual wall around your network, but what happens when the bad actors climb over that wall? It’s up to your employees. Over 90% of breaches get caused by human error according to Kaspersky Lab, and if you’re not educating users HOW to protect your organization in this ever-changing threat landscape, your organization could be next. LEARN MORE