Lawsuit accuses University of Iowa Health System of negligence for data breach

IOWA CITY — A former employee of University of Iowa Community HomeCare has paired up with a former patient to sue the entity on behalf of themselves and 67,000-plus others over a data breach in March they argue could have been prevented, was reported too late and unjustly enriched the university while causing years of risk.

Becky Kaefring, an Iowa City woman who worked for UI Community HomeCare from 2003 to 2019, and Kimberly Sullivan, a Shellsburg mother whose child received UI home care services, this fall sued UI Community HomeCare and UI Community Medical Services — which fall under the UI Health Care umbrella.

In the lawsuit, which seeks class action certification, the women accused the entities of making “calculated decisions to avoid its data security obligations at the expense of plaintiffs and class members by utilizing cheaper, ineffective security measures.”

“(The UI defendants) failed to disclose facts about its substandard information systems, defects, and vulnerabilities therein before plaintiffs and class members decided to make purchases, engage in commerce therewith, and seek services,” according to the October lawsuit, listing nearly 20 demands, including a refund.

“Since (the UI) defendant’s profits, benefits, and other compensation were obtained improperly, (it) is not legally or equitably entitled to retain any of the benefits, compensation, or profits realized from these transactions,” according to the lawsuit.

The women also want a court to order the university entities to take cybersecurity steps including, among others, purging the private information of those in the lawsuit’s defined class unless the university can justify its retention; engage independent auditors and internal personnel to monitor security and run simulated attacks; and start information security training programming annually for employees.

The lawsuit asks that the UIHC entities be barred from storing personal information on a “cloud-based database.”

UI Community HomeCare uses a different electronic record system than the UIHC, Executive Director Shane Sedenka told The Gazette. Although he didn’t comment on the pending litigation or provide specifics about its data privacy practices and policies, Sedenka said, “There is no indication that any UI Health Care protected health information was impacted as a result of UI Community HomeCare’s security incident.”

“The privacy and security of patient information is a top priority, and we are confident that UI Community HomeCare’s data security program is consistent with industry standards.”

‘Imminent and impending injury’

The breach compelling the lawsuit happened March 23, although the UIHC didn’t report it until May, according to the U.S. Department of Health and Human Services.

“UI Community HomeCare has determined that the impacted files contained personal information related to patients,” according to the UIHC notice identifying 67,897 affected individuals. “At this time, UI Community HomeCare sees no evidence of misuse of any information related to this incident.”

But the plaintiffs argue they’re now burdened with years of monitoring and anxiety.

Kaefring reports “lost time, annoyance, interference, and inconvenience due to the data breach and has anxiety and increased concerns about the loss of her privacy, especially her Social Security number, being in the hands of criminals,“ the lawsuit asserts.

The lawsuit said the entities should have seen the event coming and interceded. Nationwide, there were 1,862 data breaches in 2021, a 68 percent spike over 2020, according to the Identity Theft Resource Center, which is cited in the lawsuit. Of the 2021 breaches on record, nearly 18 percent were in the medical or health care sector — exposing nearly 30 million sensitive records.

Facebook lawsuit

The lawsuit comes as a current UIHC patient two weeks ago updated her similar lawsuit, also seeking class status, accusing UI Hospitals and Clinics of the “unlawful and widespread unauthorized practice” of sharing confidential personal protected health information to third parties — like Facebook, also known as Meta.

Citing UIHC’s encouragement that patients use its websites to book appointments, find doctors, locate facilities and communicate symptoms, among other things, the lawsuit accuses UIHC of installing and implementing a Facebook Tracking Pixel that “secretly enables the unauthorized transmission and disclosure” of personal information.

“(UIHC) utilized the pixel data for marketing purposes in an effort to bolster its profits,” according to the lawsuit. “Facebook also uses plaintiff’s and class members’ private information to create targeted advertisements based on the medical conditions and other information which is then surreptitiously disclosed to (UIHC).”

In response to the lawsuit — first filed in April in U.S. District Court — UIHC attorneys in July requested dismissal for, among other things, procedural flaws. It said the UIHC accessed only information the plaintiffs “willingly provided.”

“The complaint closely resembles several other cases alleging health care providers illegally installed a piece of software known as the ‘Facebook Pixel’ on their websites,” according to the UIHC response. “But UIHC — an instrumentality of the State of Iowa — stands apart from other private health care providers, and the complaint’s one-size-fits-all pleading commits dispositive errors.”

But the woman suing UIHC said in her lawsuit she submitted medical information to its websites by searching for a physician, communicating with her physician, completing patient forms, and reviewing health care records.

“Shortly thereafter, this information was communicated from (UIHC’s) website to Facebook,” according to the lawsuit, listing damages like invasion of privacy, time lost to mitigating privacy invasion consequences and “ongoing risk of harassment, spam, and targeted advertisements specific to (her) medical conditions.”

Comments: (319) 339-3158; vanessa.miller@thegazette.com