Second data breach at UnityPoint Health added to class action lawsuit

August 14, 2018 GMT

A class-action lawsuit against UnityPoint Health over a data breach reported this spring was amended Monday to cover a second breach revealed last month.

Four patients are named in the updated lawsuit. They are among 1.4 million people, including 76,000 in Wisconsin, who were notified July 30 that their names, addresses and medical information — and, for some, driver’s license, Social Security and payment card or bank account numbers — may have been compromised.


The plaintiffs include Yvonne Mart Fox, of Middleton, and Grant Nesheim, of Mazomanie. They were named in the original suit, filed in May in U.S. District Court in Madison after UnityPoint Health reported the first data breach in April. In that incident, notices were sent to 16,400 patients.

The other plaintiffs named in the amended lawsuit are from Illinois and Iowa.

Iowa-based UnityPoint Health owns Meriter Health Services in Madison, which includes Meriter Hospital. The health care organization declined comment Monday.

In July, UnityPoint Health said emails disguised to appear like they came from an executive with the organization tricked employees into providing sign-in information, giving the attackers access to their accounts from March 14 to April 3.

The provider said it discovered the problem May 31. It said it would offer free credit monitoring services for a year to people whose driver’s license or Social Security number was involved.

According to the amended lawsuit, Fox “is being harassed and inundated with unwanted, unsolicited, and unlawful spam and phishing emails and auto-dialed calls from unscrupulous operators.”

She and others “fear for their personal financial security and are experiencing feelings of rage and anger, anxiety, sleep disruption, stress, fear, and physical pain.”

Nesheim learned in July there had been a fraudulent attempt to open an unauthorized credit card in his name, the amended lawsuit says. He was so inundated with robocalls that he had to take on a new number for work calls, the lawsuit says.

The updated lawsuit said UnityPoint Health told patients involved in the second data breach they could receive credit monitoring through Experian.

Experian has allegedly had its own data breaches, harming millions of customers, the lawsuit says.

UnityPoint Health has said it reset passwords for compromised accounts, conducted mandatory employee training about recognizing phishing emails and implemented multi-factor authentication in accessing systems, in an effort to prevent similar situations.