SuperCare’s Proposed Data Breach Settlement and the Lawsuit Against University of Iowa Hospitals and Clinics

SuperCare Offers to Pay $2.25 Million to Resolve Data Breach Lawsuit

SuperCare, a home care service provider in California, has offered to pay $2.25 million to settle a class action lawsuit associated with a 2021 hacking incident wherein the protected health information (PHI) of 318,379 patients was exposed.

SuperCare noticed a network attack on July 27, 2021. The forensic investigation confirmed that hackers got access to its system between July 23, 2021 and July 27, 2021; nonetheless, patient data compromise was only confirmed on February 4, 2022 . The compromised patient records included names, addresses, birth dates, hospital or medical group, medical record numbers, patient account numbers, medical insurance details, lab test data, diagnoses, treatment details, other health-related data, and claims details, and, for a number of patients, driver’s license numbers and Social Security numbers. SuperCare sent notifications to the affected persons on March 25, 2022, which is 8 months after discovering the breach.

SuperCare is facing a lawsuit shortly after reporting the data breach. Allegedly, SuperCare violated the Federal Trade Commission (FTC) Act, California’s Confidentiality of Medical Information Act, and the Health Insurance Portability and Accountability Act (HIPAA) as a result of failing to use acceptable and proper cybersecurity measures to safeguard against a known threat of cyberattacks and data breaches. It also failed to send prompt notifications concerning the data breach. Moreover, the notifications that were sent to the affected individuals lacked key details regarding the data breach. There was no explanation given about the delay in issuing the notifications. The lawsuit additionally stated that impacted persons were not given enough credit monitoring services or alternatives to minimize the risk of sensitive data misuse.

As per the terms of the proposed settlement, SuperCare is offering two tiers of benefits. Claims may be filed for tier 1 benefits of cash payment up to $100. The second tier accepts claims as much as $2,500 for out-of-pocket expenditures sustained because of the data breach, together with around 4 hours of lost time valued at $25 an hour. All class members are eligible to receive three-bureau credit monitoring services for one year, plus a $1 million identity theft insurance coverage.

The last day for objection to or exclusion from the proposed settlement is June 5, 2023. Claims should be filed by July 5, 2023. The schedule of the settlement’s final approval hearing is on August 28, 2023.

University of Iowa Hospitals and Clinics Faces Lawsuit for Unlawful PHI Disclosures to Facebook

University of Iowa Hospitals and Clinics (UIHC) is facing a lawsuit that was filed in the U.S. District Court for the Southern District of Iowa. Allegedly, UIHC negligently, unlawfully, and recklessly exposed patients’ private data to Facebook, without getting patient permission.

HIPAA_regulated entities are struggling with the investigation of their website practices after discovering the extensive use of website tracking code, generally called pixels, for tracking the activity of website visitors. The snippets of code capture details concerning website and application activity that is linked with website users. The data collected may be taken to enhance the user experience, however, the data obtained is usually transmitted to the code providers. A new study published in Health Affairs revealed that 98.6% of non-government acute care hospital websites in the U.S. added tracking pixels on their sites, which gathered and transmitted sensitive information to Google, Meta (Facebook), and other third parties. The data transferred may be employed for different reasons, like serving targeted ads depending on particular medical conditions studied or shared on the website of the healthcare provider.

The magnitude of patient privacy violations led the HHS’ Office for Civil Rights to publish guidance in 2022 about using website tracking codes, and this 2023 OCR Director Melanie Fontes Rainer stated that the unauthorized sharing of PHI is currently OCR’s enforcement priority. Legal representatives have likewise taken quick action, having filed over 50 lawsuits now against healthcare organizations in relation to using these tracking tools.

The lawsuit Yeisley v. University of Iowa Hospitals & Clinics was filed on behalf of plaintiff Eileen Yeisley and likewise situated persons. The lawsuit alleges UIHC runs or operates two websites that are utilized for scheduling appointments, finding treatment centers and doctors, and signing up patients for activities and classes. The lawsuit claims UIHC deliberately put a Facebook pixel on the two websites that sent visitor activity to Facebook and connected that data to visitors’ personal Facebook profiles. The lawsuit additionally claims UIHC put in an FB conversion application programming interface (API) on the sites, which functions separately from pixel and permits extra disclosures of PHI to Facebook.

With the code snippets, the sensitive information of patients and would-be patients is transmitted to Facebook without their permission or awareness and that data can subsequently be offered by Facebook for sale to third parties to allow them to target the patients with ads particular to the health conditions shared or viewed on the websites. The lawsuit alleges that the code was installed by UIHC to increase profits and presents evidence or screenshots of the source code on UIHC websites including the code snippets from Facebook.

OCR stated in its guidance that the sharing of PHI is normally not allowed by the HIPAA Privacy Rule, and requires notifications as per the HIPAA Breach Notification Rule. A number of healthcare organizations have submitted PHI breach reports to OCR associated with the tracking code, however, UIHC has not issued breach notification letters yet. The University of Iowa Health has released this statement to answer the allegations: the University of Iowa Health Care is dedicated to securing patient privacy. It does not disclose patients’ PHI with Meta or Facebook. The company will examine the lawsuit upon receipt.

The lawsuit alleges breach of confidence, negligence, unjust enrichment, invasion of privacy, and violations of the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act and wants class-action status, fair and injunctive relief, and a court order to stop UIHC from further participating in this action. The lawsuit additionally wants an award of damages, which include actual, consequential, nominal, and punitive damages.

Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.