A former employee of University of Iowa Community HomeCare has paired up with a former patient to sue the entity on behalf of themselves and 67,000-plus others over a data breach in March they argue could have been prevented, was reported too late, and unjustly enriched the university while causing years of stress, risk, and potential further victimization in the form of fraud and identity theft.
Becky Kaefring, an Iowa City woman who worked for UI Community HomeCare from 2003 to 2019, and Kimberly Sullivan, a Shellsburg mother whose child received UI home care services, this fall sued UI Community HomeCare and UI Community Medical Services — which fall under the UI Health Care umbrella.
In the lawsuit — seeking “class action” certification, allowing the tens of thousands affected to seek recompense — the women accused the UIHC entities of making “calculated decisions to avoid its data security obligations at the expense of plaintiffs and class members by utilizing cheaper, ineffective security measures.”
ADVERTISING
“ (The UI defendants) failed to disclose facts about its substandard information systems, defects, and vulnerabilities therein before plaintiffs and class members decided to make purchases, engage in commerce therewith, and seek services,” according to the October lawsuit, listing nearly 20 demands, including a UI refund.
“Since (the UI) defendant’s profits, benefits, and other compensation were obtained improperly, (it) is not legally or equitably entitled to retain any of the benefits, compensation, or profits realized from these transactions,” according to the lawsuit, seeking court order that UIHC “refund, disgorge, and pay as restitution any profits, benefits, and other compensation obtained … from its wrongful conduct and/or the establishment of a constructive trust from which plaintiffs and class members may seek restitution.”
The women also want a court to order the university entities to:
The lawsuit also asks that UIHC be barred from storing personal information on a “cloud-based database.”
UI Health Care officials didn’t immediately outline data-privacy practices and policies for The Gazette — although a UIHC privacy policy posted online reports using “encryption to protect the transmission of information you submit to us when you use our secure online forms.”
The breach compelling the lawsuit happened March 23, 2023 — although UIHC didn’t report it until May, according to the U.S. Department of Health and Human Services.
Newsletter Signup
Delivered to your inbox every day
“Two months after (the university) claims to have discovered the data breach, (the university) began sending the notice to persons whose private information was compromised,” according to the lawsuit, describing the notice — among other things — as sharing basic details of the breach, recommended next steps like monitoring accounts for fraud, and the nugget that UIHC learned of the breach March 23.
“UI Community HomeCare has determined that the impacted files contained personal information related to patients,” according to the UIHC notice identifying 67,897 affected individuals. “At this time, UI Community HomeCare sees no evidence of misuse of any information related to this incident.”
But the women behind the lawsuit argued they’re now burdened with years of monitoring and anxiety.
“Upon receiving the notice letter from (UIHC), plaintiff Kaefring has spent significant time dealing with the consequences of the data breach, including researching the credit monitoring and identity theft insurance offered by (UIHC),” according to the lawsuit.
Kaefring reports “lost time, annoyance, interference, and inconvenience due to the data breach and has anxiety and increased concerns about the loss of her privacy, especially her Social Security number, being in the hands of criminals.“
“Kaefring has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from her stolen private information being placed in the hands of unauthorized third parties and criminals.”
The lawsuit said UIHC should have seen the event coming and interceded — considering 2021 brought a record 1,862 data breaches, representing a 68-percent spike over 2020, according to the Identity Theft Resource Center.
Of the 2021 breaches on record, nearly 18 percent were in the medical or health care sector — exposing nearly 30 million sensitive records.
“In fact, according to the cybersecurity firm Mimecast, 90 percent of health care organizations experienced cyberattacks in the past year,” according to the lawsuit, flagging a “substantial time lag — measured in years — between when harm occurs and when it is discovered and between when private information and/or financial information is stolen and when it is used.”
“Thus, plaintiffs and class members must vigilantly monitor their financial and medical accounts now and for many years to come,” according to the lawsuit.
The lawsuit comes as a current UIHC patient two weeks ago updated her similar lawsuit, also seeking class status, accusing UI Hospitals and Clinics of the “unlawful and widespread unauthorized practice” of sharing confidential personal protected health information to third parties — like Facebook, also known as Meta.
Citing UIHC’s encouragement that patients use its websites to book appointments, find doctors, locate facilities, communicate symptoms, identify medical conditions, research treatment options, and sign up for events and classes — the lawsuit accuses UIHC of installing and implementing a Facebook Tracking Pixel that “secretly enables the unauthorized transmission and disclosure” of personal information.
“(UIHC) utilized the pixel data for marketing purposes in an effort to bolster its profits,” according to the lawsuit. “Facebook also uses plaintiff’s and class members’ private information to create targeted advertisements based on the medical conditions and other information which is then surreptitiously disclosed to (UIHC).”
In response to the lawsuit — first filed in April in U.S. District Court — UIHC attorneys in July requested dismissal for, among other things, procedural flaws.
Among other things, according to the university, the plaintiff doesn’t have a “viable invasion of privacy claim”; UIHC wasn’t “unjustly enriched”; its website doesn’t qualify as an “electronic communications service”; and UIHC only accessed information the plaintiffs “willingly provided.”
“The complaint closely resembles several other cases alleging health care providers illegally installed a piece of software known as the ‘Facebook Pixel’ on their websites,” according to the UIHC response. “But UIHC — an instrumentality of the State of Iowa — stands apart from other private health care providers, and the complaint’s one-size-fits-all pleading commits dispositive errors.”
But the woman suing UIHC in her lawsuit said she submitted medical information to its websites by searching for a physician, communicating with her physician, completing patient forms, and reviewing health care records.
“Shortly thereafter, this information was communicated from (UIHC’s) website to Facebook,” according to the lawsuit, listing damages like invasion of privacy, lost time spent mitigating privacy-invasion consequences, and “ongoing risk of harassment, spam, and targeted advertisements specific to (her) medical conditions.”
UIHC’s conduct, according to the lawsuit, “constitutes a threat to public health or safety.”
www.thegazette.com
Becky Kaefring, an Iowa City woman who worked for UI Community HomeCare from 2003 to 2019, and Kimberly Sullivan, a Shellsburg mother whose child received UI home care services, this fall sued UI Community HomeCare and UI Community Medical Services — which fall under the UI Health Care umbrella.
In the lawsuit — seeking “class action” certification, allowing the tens of thousands affected to seek recompense — the women accused the UIHC entities of making “calculated decisions to avoid its data security obligations at the expense of plaintiffs and class members by utilizing cheaper, ineffective security measures.”
ADVERTISING
“ (The UI defendants) failed to disclose facts about its substandard information systems, defects, and vulnerabilities therein before plaintiffs and class members decided to make purchases, engage in commerce therewith, and seek services,” according to the October lawsuit, listing nearly 20 demands, including a UI refund.
“Since (the UI) defendant’s profits, benefits, and other compensation were obtained improperly, (it) is not legally or equitably entitled to retain any of the benefits, compensation, or profits realized from these transactions,” according to the lawsuit, seeking court order that UIHC “refund, disgorge, and pay as restitution any profits, benefits, and other compensation obtained … from its wrongful conduct and/or the establishment of a constructive trust from which plaintiffs and class members may seek restitution.”
The women also want a court to order the university entities to:
- Protect through encryption all the data they collect;
- Delete and purge the private information of those in the lawsuit’s defined class unless the university can justify its retention, weighed against the plaintiffs’ privacy concerns;
- Implement and maintain an “information security program” designed to protect confidentiality;
- Engage independent third-party auditors and internal personnel to monitor security, run simulated attacks, conduct tests, and perform periodic audits;
- Create firewalls and controls so hackers can’t access other portions of the UIHC system if one area is compromised;
- Establish information security training programming annually updating employees on best practices and responsibilities;
- Implement and maintain a threat-management program to monitor UIHC networks for internal and external threats;
- And “meaningfully educate all class members about the threats they face due to the loss of their confidential personal identifying information to third parties.”
The lawsuit also asks that UIHC be barred from storing personal information on a “cloud-based database.”
UI Health Care officials didn’t immediately outline data-privacy practices and policies for The Gazette — although a UIHC privacy policy posted online reports using “encryption to protect the transmission of information you submit to us when you use our secure online forms.”
‘Imminent and impending injury’
The breach compelling the lawsuit happened March 23, 2023 — although UIHC didn’t report it until May, according to the U.S. Department of Health and Human Services.
Daily News
Newsletter Signup
“Two months after (the university) claims to have discovered the data breach, (the university) began sending the notice to persons whose private information was compromised,” according to the lawsuit, describing the notice — among other things — as sharing basic details of the breach, recommended next steps like monitoring accounts for fraud, and the nugget that UIHC learned of the breach March 23.
“UI Community HomeCare has determined that the impacted files contained personal information related to patients,” according to the UIHC notice identifying 67,897 affected individuals. “At this time, UI Community HomeCare sees no evidence of misuse of any information related to this incident.”
But the women behind the lawsuit argued they’re now burdened with years of monitoring and anxiety.
“Upon receiving the notice letter from (UIHC), plaintiff Kaefring has spent significant time dealing with the consequences of the data breach, including researching the credit monitoring and identity theft insurance offered by (UIHC),” according to the lawsuit.
Kaefring reports “lost time, annoyance, interference, and inconvenience due to the data breach and has anxiety and increased concerns about the loss of her privacy, especially her Social Security number, being in the hands of criminals.“
“Kaefring has suffered imminent and impending injury arising from the substantially increased risk of fraud, identity theft, and misuse resulting from her stolen private information being placed in the hands of unauthorized third parties and criminals.”
The lawsuit said UIHC should have seen the event coming and interceded — considering 2021 brought a record 1,862 data breaches, representing a 68-percent spike over 2020, according to the Identity Theft Resource Center.
Of the 2021 breaches on record, nearly 18 percent were in the medical or health care sector — exposing nearly 30 million sensitive records.
“In fact, according to the cybersecurity firm Mimecast, 90 percent of health care organizations experienced cyberattacks in the past year,” according to the lawsuit, flagging a “substantial time lag — measured in years — between when harm occurs and when it is discovered and between when private information and/or financial information is stolen and when it is used.”
“Thus, plaintiffs and class members must vigilantly monitor their financial and medical accounts now and for many years to come,” according to the lawsuit.
Facebook lawsuit
The lawsuit comes as a current UIHC patient two weeks ago updated her similar lawsuit, also seeking class status, accusing UI Hospitals and Clinics of the “unlawful and widespread unauthorized practice” of sharing confidential personal protected health information to third parties — like Facebook, also known as Meta.
Citing UIHC’s encouragement that patients use its websites to book appointments, find doctors, locate facilities, communicate symptoms, identify medical conditions, research treatment options, and sign up for events and classes — the lawsuit accuses UIHC of installing and implementing a Facebook Tracking Pixel that “secretly enables the unauthorized transmission and disclosure” of personal information.
“(UIHC) utilized the pixel data for marketing purposes in an effort to bolster its profits,” according to the lawsuit. “Facebook also uses plaintiff’s and class members’ private information to create targeted advertisements based on the medical conditions and other information which is then surreptitiously disclosed to (UIHC).”
In response to the lawsuit — first filed in April in U.S. District Court — UIHC attorneys in July requested dismissal for, among other things, procedural flaws.
Among other things, according to the university, the plaintiff doesn’t have a “viable invasion of privacy claim”; UIHC wasn’t “unjustly enriched”; its website doesn’t qualify as an “electronic communications service”; and UIHC only accessed information the plaintiffs “willingly provided.”
“The complaint closely resembles several other cases alleging health care providers illegally installed a piece of software known as the ‘Facebook Pixel’ on their websites,” according to the UIHC response. “But UIHC — an instrumentality of the State of Iowa — stands apart from other private health care providers, and the complaint’s one-size-fits-all pleading commits dispositive errors.”
But the woman suing UIHC in her lawsuit said she submitted medical information to its websites by searching for a physician, communicating with her physician, completing patient forms, and reviewing health care records.
“Shortly thereafter, this information was communicated from (UIHC’s) website to Facebook,” according to the lawsuit, listing damages like invasion of privacy, lost time spent mitigating privacy-invasion consequences, and “ongoing risk of harassment, spam, and targeted advertisements specific to (her) medical conditions.”
UIHC’s conduct, according to the lawsuit, “constitutes a threat to public health or safety.”
Lawsuit accuses UI Health System of negligence for data breach
A former employee of University of Iowa Community HomeCare has paired up with a former patient to sue the entity on behalf of themselves and 67,000-plus others over a data breach in March they argue could have been prevented, was reported too late, and unjustly enriched the university while...
www.thegazette.com
