Data Breach Settlement Has an Unusual ProvisionNo 'Global Cap' on Payment of Claims
A preliminary settlement of a class action data breach lawsuit against Iowa Health System - which does business as UnityPoint Health - contains an extraordinary provision that could prove quite costly.
Unlike settlements in most other data breach class action lawsuits, this one does not contain a "global cap" on the total amount of claims to be paid to victims.
By comparison, a 2019 settlement in a lawsuit against Banner Health in the wake of a 2016 health and financial information breach affecting 2.9 million individuals capped reimbursement of victims' expenses at $6 million.
The UnityPoint settlement is tied to two phishing incidents - one in 2017 affecting about 16,400 patients and employees and another in 2018 impacting 1.4 million. The 2018 attack was the second biggest health data breach reported to the Department of Health and Human Services in 2018, according to HHS Office of Civil Rights' HIPAA Breach Reporting Tool.
No 'Global Cap'
Settlement documents in the UnityPoint Health case note: "The monetary relief and credit monitoring services available to settlement class members are not subject to a global cap on settlement benefits - meaning that every settlement class member will be fully compensated for valid claims, independent of the aggregate amount of other claims submitted."
Independent privacy and security attorney Paul Hales, who was not involved in the lawsuit, notes: "The potential uncapped costs to UnityPoint Health are breathtaking. The class consists of more than 1.4 million members. Each is entitled to up to $1,000 for documented out-of-pocket 'ordinary expenses' related to the data breaches and up to $6,000 for 'extraordinary expenses' including out-of-pocket expenses and additional lost time spent resolving documented extraordinary losses.
"Do the math. The settlement is especially significant because the final settlement amount is not subject to a global cap. Each class member must be fully compensated for valid claims up to the individual limits on ordinary and extraordinary expenses."
Hales says he had been watching the UnityPoint case and expected a settlement, "but not one of the magnitude" of the proposed order.
"UnityPoint Health must have felt pressure to settle after a July 25, 2019 order in the case. The trial judge ruled, 'Plaintiffs have plausibly alleged injuries that can be linked to this [breached] information'," he says. In addition, Hales points out, the judge also ruled: "In this case, plaintiff(s) have alleged facts sufficient to establish an objectively reasonable likelihood of future identity theft."
Under the terms of the proposed settlement, UnityPoint will provide one year of comprehensive credit monitoring and ID theft protection services with a retail value of about $200 per settlement class member.
The proposed settlement document notes that "given a class size of approximately 1.4 million individuals, this is an enormous benefit, amounting to millions of dollars of value to settlement class members."
UnityPoint also will pay 100% of all "ordinary expenses" up to $1,000 for each person affected by the breaches. That includes documented out-of-pocket expenses related to the data breaches, including up to a total of $45 ($15 per hour for three hours) for time lost dealing with the aftermath of the security incidents.
The settlement also provides for reimbursement of "extraordinary expenses" of up to $6,000 per victim. Examples of these expenses include professional fees and other costs incurred to address identity theft or fraud.
Under the case's most recent amended complaint filed in August 2018, the plaintiffs allege that UnityPoint neglected its duty to safeguard their PHI and PII as required under various federal and state laws; violated various state breach notification laws; and knowingly made deceptive representations of its data security policies and practices in its privacy statements and elsewhere.
The amended complaint included several examples of plaintiffs who alleged they had been victims of identity theft or fraud incidents following the UnityPoint data breaches. Those incidents include alleged attempts by fraudsters to open credit card accounts using a victim's identity and the discovery of a plaintiff's information on a darknet website.
Attorneys representing UnityPoint did not immediately respond to Information Security Media Group's request for comment, and an attorney representing the plaintiffs declined ISMG's request for comment.
Improving Data Security
The preliminary settlement also calls for UnityPoint Health to improve its network and data security to address vulnerabilities and safeguard patient data.
The details of steps that UnityPoint must take to improve its security were redacted from the preliminary settlement document, and a related exhibit document was sealed by court.
Provisions in data breach class action lawsuit settlements that call for the breached entity to improve its security programs are increasingly common.
For instance, in 2018, the $115 million settlement in a consolidated class action lawsuit against Anthem in the wake of a 2015 cyberattack affecting nearly 79 million individuals, called for the health insurer to triple its cybersecurity budget.
"Federal Trade Commission enforcement actions that impose mandates on businesses in the event of a breach of consumer privacy and data security could be responsible for the trend we are seeing in class action lawsuits in requiring organizations to beef up data protection safeguards," notes privacy attorney David Holtzman of the privacy and security consulting firm CynergisTek.
"Organizations that agree to settlement terms that require increased data security safeguards following a data breach may be in a much better position to ward-off the possibility of harsh penalties from enforcement agencies as well as mitigate the risk of future class actions," he says.
Sources say the UnityPoint settlement could be finalized in the court by the end of this year.