MADISON (WKOW) — An amended complaint has been filed against Iowa Health System, the company that runs UnityPoint Health, after a second data breach.
The amended complaint was filed Monday in U.S. District Court in Madison. It references three new plaintiffs in the lawsuit and a second data breach the health system discovered May 31.
The original lawsuit was filed in May on behalf of Yvonne Mart Fox of Middleton, claiming the hospital delayed reporting the data breach it first discovered in February. Patients were given notice in mid-April. It also alleges UnityPoint Health misled patients into believing their social security numbers were not compromised.
The lawsuit claims thousands of patients’ records were affected by the first breach, going back as far as November of 2017. Records show the breach happened through a "phishing" attack of employee email accounts and Social Security numbers, insurance and financial information and other medical records were potentially compromised.
The amended complaint filed Monday adds three more plaintiffs: Grant Nesheim of Mazomanie, Danielle Duckley of Illinois and Shelley Kitsis of Iowa. It also references a second data breach discovered May 31 and reported to the public at the end of July. Patients got letters in the mail around August 2.
The amended complaint accused UnityPoint Health of negligence, breach of confidentiality of health records, delaying notification of the breach, invasion of privacy, misrepresentation and concealment, breach of contract, and deceptive practices.
UnityPoint Health hasn’t responded to the lawsuit or the amended complaint, but it did issue a news release after the second breach, saying it "deeply regretted the incident."
RaeAnn Isaacson with UnityPoint Health said, “While we are not aware of any misuse of patient information related to this incident, we are notifying patients about what happened, what information was involved, what we have done to address the situation, and what patients can do to help protect their information.”