[BreachExchange] Patients File Lawsuit Against MU Health Over Data Breach of 14K

Fri Aug 14 08:20:47 EDT 2020

https://healthitsecurity.com/news/patients-file-lawsuit-against-mu-health-over-data-breach-of-14k

About one week after University of Missouri Health Care (MU Health)
began reporting a potential health data breach, the impacted patients
filed a class-action lawsuit arguing the breach puts the victims at a
greater risk of identity theft, according to local news outlet the
Missourian.

On May 1, MU Health discovered a hacker gained access to two employee
email accounts for more than a week between April 23 and when it was
discovered. Officials said they immediately took steps to secure the
accounts.

The notification did not outline how the hacker was able to gain
access and whether it was a phishing attack. But officials said the
investigation determined the compromised account contained patient
names, dates of birth, health insurance details, medial record
numbers, and limited clinical and or treatment information. For some
patients, Social Security numbers were included in the breached data.

Dig Deeper

UnityPoint Health Data Breach Lawsuit Partially Dismissed by Judge
Quest, LabCorp, AMCA Face Breach Lawsuits, State Investigations
Google, UChicago Medicine Sued for Alleged Patient Privacy Violation

Not all MU Health patients were included in the breach, only those
individuals with information contained in the compromised accounts.
Officials estimate about 14,400 patients were involved.

The investigation concluded on July 27, when MU Health began notifying
patients. However, the time frame went beyond the HIPAA-required 60
days between discovery and notification.

Less than a week after being notified, MU Health patient Penny Houston
filed a lawsuit against MU Health. 19 other patients have since been
added as claimants.

The lawsuit argues the breach puts victims at a higher risk of
identity theft and diminished care received. And patients said they
were overpaying for services from MU Health, as those services were
meant to be paired with adequate security.

Further, the data compromised during the hack provides cybercriminals
with the data necessary to create financial accounts under the
patients’ names. As a result, the suit argues the breach of personal
information will cause long-term issues for the impacted individuals,
including the risk of hackers stealing their identities to take out
loans, obtain medical services, or to file fraudulent tax returns.

The lawsuit also argued the victims are at a greater risk for phishing
or future hacking and claim they’ll now need to closely monitor and
guard their personal accounts from identity theft, and will need to
use their own funds to freeze their credit reports and accounts, as
well as the purchase of credit monitoring services.

The MU Health notification did not offer breach victims with free
credit monitoring services. Plaintiffs are asking the court to require
MU Health provide credit monitoring to all class-action lawsuit
claimants.

The breach victims also asked MU Health be required to strengthen its
data security and monitoring systems and submit to future system
audits and procedures. Lastly, the lawsuit seeks reimbursement of any
out-of-pocket costs, including attorney’s fees.

Health data breach-related lawsuits have increased as breaches have
become more commonplace. But there has not been a standard for how
decisions are handled. Most recently, a breach lawsuit against
UnityPoint Health was partially dismissed, allowing plaintiffs to only
pursue claims around negligence.

Similar lawsuits have been settled out of court, such as the recent
Premera Blue Cross settlement over the 2014 breach impacting 10.6
million patients.