Saint Louis University Agrees to $2 Million Settlement to Resolve Data Breach Lawsuit
A settlement has been reached to resolve a class action lawsuit against St. Louis University and SSM Health Saint Louis University Hospital (SSM-SLUH) over a 2023 data breach. Under the terms of the settlement, a fund of $2 million will be created to cover claims, attorneys’ fees, and legal costs and expenses.
St. Louis University identified suspicious activity within its email system in March 2023. The investigation confirmed that a cybercriminal group accessed a limited number of employee email accounts after conducting a phishing campaign. The unauthorized access spanned from December 2022 to July 2023, and while there was unauthorized access, no evidence was found to indicate there had been any misuse of the exposed data.
The compromised accounts contained the personal information of students, employees, and hospital patients, including names, addresses, telephone numbers, dates of birth, driver’s license numbers, passport numbers, digital signatures, Social Security numbers, health insurance information, and medical information. Up to 93,000 individuals potentially had their data stolen in the incident.
A lawsuit – M.W, et al., v. St. Louis University, et al – was filed in the Circuit Court for St. Louis City, Missouri, in response to the breach by four individuals, individually and on behalf of other similarly situated individuals whose personal and protected health information was compromised in the incident. The lawsuit made several claims, including negligence for failing to protect sensitive data due to a lack of reasonable and appropriate safeguards. The defendants maintained there was no wrongdoing; however, a mutually agreeable settlement was reached to bring the litigation to an end, with no admission of wrongdoing or liability.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The settlement, which has received preliminary approval from the court, permits claims to be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses incurred as a result of the data breach up to a maximum of $2,500 per claimant. In addition, all class members may claim a cash payment, which is estimated to be $100. The amount will be adjusted based on the number of claims received and may be higher or lower than $100. In addition, class members can claim one year of credit monitoring and identity theft protection services. The defendants have also provided assurances that they have implemented additional measures to better secure their digital environment.
The deadline for opting out of or objecting to the settlement is May 27, 2025, and claims must be submitted by June 13, 2025. The final approval hearing has been scheduled for June 26, 2025.
