Iowa Health System, which does business as UnityPoint Health, has reached a settlement over two data breaches at the health system, which had collectively compromised data on more than 1 million patients and employees, according to court documents filed last week.
The plaintiffs in the case filed the motion for preliminary approval of a settlement to end a proposed class action over the 2017 and 2018 cyberattacks in federal court in Wisconsin.
Under the deal, an estimated 1.4 million people who UnityPoint Health notified after the data breaches would be able to request reimbursement for expenses from the incidents. Each class member's reimbursement is capped at $1,000 for ordinary expenses—such as costs associated with credit freezes, credit monitoring services and up to three hours of time lost responding to the incident—and $6,000 for extraordinary expenses.
Extraordinary expenses could include costs incurred addressing identity fraud and up to 10 additional hours of time lost, according to the proposed settlement agreement.
The agreement does not include an overall cap on monetary relief for class members.
"This is a significant benefit as compared to other settlements, in which individual class member recovery is subject to pro rata reduction if the aggregate amount of claims exceeds a global cap or other limit," the documents read.
UnityPoint Health also agreed to provide people affected by the data breaches with one year of credit monitoring services, including up to $1 million reimbursement insurance to cover losses due to identity theft and services to notify a class member if such information as Social Security numbers or credit card numbers are found on the dark web.
The credit monitoring and identity theft protection services for the settlement class are valued at approximately $2.8 million, according to court documents.
In addition, UnityPoint Health will pay attorneys' fees and expenses incurred by the plaintiffs, not to exceed $1.575 million.
The settlement resolves a proposed class action over two data breaches, both of which involved email phishing scams.
UnityPoint Health in April 2018 reported that hackers had breached 16,429 people's information through an email phishing attack. UnityPoint Health discovered the data breach in February 2018, but the hackers' access to employee email accounts had occurred as early as November 2017, according to the plaintiffs.
In July 2018, UnityPoint Health reported a second data breach, also involving hackers accessing employee email accounts. The data breach, which began in March 2018, compromised data from approximately 1.4 million patients and employees. UnityPoint Health discovered the data breach in May 2018.
In an emailed statement, a UnityPoint Health spokesperson said the health system has conducted full investigations into the data breaches and implemented "a variety of safeguards to reduce the likelihood of a similar incident occurring again."
"UnityPoint Health values the protection of patient privacy and we continually evaluate and modify our security practices to further strengthen the privacy of our patients' personal health information," the spokesperson said.