UConn Health Charged With a Class Action Lawsuit Over Phishing Attack

A class action lawsuit has been filed against the University of Connecticut and UConn Health in behalf of patients for the exposure of their protected health information (PHI) due to a phishing attack that was identified on December 24, 2018. The patients are seeking damages, equitable, declaratory, and injunctive relief to avoid a repeat of a data breach. They also want a jury trial.

Because of the phishing attack, several employees’ email accounts were compromised and impacting a total of 326,000 UConn Health patients’ personal and health information. Only a limited amount of PHI was exposed for the majority of the people affected by the breach. But about 1,500 patients had their name, address, birth date, and Social Security number, and a number of healthcare information compromised.

The lawsuit claims UConn Health was negligent in protecting the private data of its patients and failed to issue prompt, accurate, and sufficient breach notification. The lawsuit points out the major inadequacies in UConn Health’s security protocols, thus the breach was not noticed for months. As per the lawsuit, the first breach of email accounts occurred in August 2018. However, UConn Health only knew about the breach in December 2018. Then, patients received notification about the breach of their PHI only on February 25, 2019.

The attackers had accessed the accounts for four months and possibly viewed or stolen patient data. UConn was unable to detect the breach of its systems and so hackers were able to steal the data on a large number of present and past patients. If UConn acted promptly, the consequences of the breach could have been significantly reduced, according to the lawsuit.

The lawsuit additionally alleges there was inadequate security awareness training. The employees were not trained to distinguish a potential phishing email.

The lawsuit identifies Yoselin Martinez as the plaintiff and over 100 putative class members were in the same way impacted by the breach. The lawsuit seeks damages worth well over $5 million.

Yoselin Martinez received breach notification on February 25, 2019. Upon checking her bank account, she found an unauthorized transaction put her in overdraft. She claims the transaction was caused by the fake use of her data that hackers stole from UConn Health.

The Law office of Glancy, Prongay, & Murray LLP is representing the plaintiffs.