The victims of a phishing attack targeting UnityPoint Health, which operates medical centers in Illinois, Iowa and Wisconsin, filed a class action lawsuit against the firm claiming victims were falsely told their social security numbers hadn’t been compromised, according to a federal class action lawsuit filed Friday.
The incident resulted from a phishing attack which compromised employee email accounts and left the information of at least 16,429 people exposed from November 2017 until the breach was discovered between February 7, 2018 and February 15, 2018.
In mid-April 2018 patients were notified of a breach which compromised dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and insurance information.
The plaintiffs claim UnityPoint explicitly stated “The information did not include your Social Privacy number” and falsely claimed UnityPoint had no information indicating that the stolen PHI “will be used for any unintended purposes.” according to court documents.
Furthermore the victims are claiming that UnityPoint misrepresented the nature, breadth, scope, harm, and cost associated with the breach.