25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

$8 Million Settlement Agreed in MU Health Care Data Breach Lawsuit

Posted By on Jan 7, 2025

University of Missouri Health Care (MU Health Care) has agreed to pay $8 million to resolve a class action lawsuit over a 2020 data breach that saw unauthorized individuals gain access to employee email accounts containing patients’ protected health information.

Two lawsuits were filed in response to the email breach, the first on October 9, 2020, on behalf of MU Health Care patient Casey Bumbales and a second on January 20, 2021, by patient Amanda Kunkelman, both of whom had their sensitive data compromised in the phishing attack. Since the lawsuits made similar allegations and were based on the same facts, they were consolidated into a single action, Bumbales, et al. v. Curators of the University of Missouri, d/b/a MU HEALTH CARE in the Circuit Court of Boone County, Missouri Circuit Division.

An email phishing attack saw email accounts compromised between May 4, 2020, and May 6, 2020. MU Health Care reported the breach to the HHS Office for Civil Rights as affecting 189,736 individuals. An email breach was also reported to OCR in June 2020 that affected 5,074 individuals and another in 2019 that affected 14,402 individuals. The lawsuits allege reasonable and appropriate security measures had not been implemented by MU Health Care to protect against phishing attacks, and had those measures have been implemented, the breach could have been prevented. The lawsuits claimed this amounted to negligence, especially when a phishing attack occurred in 2019 that exposed patient data.

Under the terms of the settlement, class members – individuals who received a notification letter about the May 2020 data breach – may choose one of two benefits. They may submit a claim for reimbursement of documented out-of-pocket expenses and losses due to the data breach and up to three hours of lost time at up to $25 per hour up to a maximum claim amount of $150 per class member. Alternatively, class members may choose a fixed cash payment of $60. The settlement also requires MU Health Care to implement multifactor authentication for email accounts.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The deadline for exclusion, objection, and submitting claims is January 14, 2024. A final approval hearing has been scheduled for February 3, 2025.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist