MU Health Patients Take Legal Action Over May 2019 Phishing Attack

A lawsuit has been filed against University of Missouri Health Care (MU Health) over an April 2019 phishing attack.

On May 1, 2019, MU Health learned that two staff email accounts had been compromised for a period of more than one week, starting on April 23, 2019. The email accounts contained a range of sensitive information including names, dates of birth, Social Security numbers, health insurance information, clinical and treatment information.

MU Health’s investigation concluded on July 27 and notification letters were sent to individuals whose protected health information (PHI) had been exposed and potentially stolen. Approximately 14,400 patients had been impacted by the breach.

The lawsuit was filed by MU Health patient Penny Houston around a week after the notifications were issued. The lawsuit states that, as a result of the breach, patients have been placed at an elevated risk of suffering identity theft and fraud. The types of data contained in the compromised accounts would allow criminals to steal identities, file fraudulent tax returns, and open financial accounts in the victims’ names.

As a result of the exposure of personal information, breach victims could face long-term issues and have to cover the cost of credit monitoring and identity theft protection services, as none were offered by MU Health.

The lawsuit also argues that patients have been paying for medical services and a proportion of that cost should have covered securing their information. Since sufficient protections had not been implemented, the plaintiffs claim they have been overpaying for medical services at MU Health.

At least 19 other patients have now added their names to the lawsuit. The plaintiffs seek reimbursement of out-of-pocket expenses to cover costs incurred as a direct result of the breach and for MU Health to pay for credit monitoring services for all victims of the breach.  Additionally, the plaintiffs want MU Health to invest more money in cybersecurity to strengthen its data security defenses, monitoring systems, and also to agree to undergo audits of its systems and procedures in the future.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.