MU Health recently began notifying patients of a potential health data breach caused by a week-long email hack; the victims responded with a class-action lawsuit seeking complimentary credit monitoring and improved security.
About one week after University of Missouri Health Care (MU Health) began reporting a potential health data breach, the impacted patients filed a class-action lawsuit arguing the breach puts the victims at a greater risk of identity theft, according to local news outlet the Missourian.
On May 1, MU Health discovered a hacker gained access to two employee email accounts for more than a week between April 23 and when it was discovered. Officials said they immediately took steps to secure the accounts.
The notification did not outline how the hacker was able to gain access and whether it was a phishing attack. But officials said the investigation determined the compromised account contained patient names, dates of birth, health insurance details, medial record numbers, and limited clinical and or treatment information. For some patients, Social Security numbers were included in the breached data.
Dig Deeper
- UnityPoint Health Data Breach Lawsuit Partially Dismissed by Judge
- Quest, LabCorp, AMCA Face Breach Lawsuits, State Investigations
- Google, UChicago Medicine Sued for Alleged Patient Privacy Violation
Want to publish your own articles on DistilINFO Publications?
Send us an email, we will get in touch with you.
Not all MU Health patients were included in the breach, only those individuals with information contained in the compromised accounts. Officials estimate about 14,400 patients were involved.
The investigation concluded on July 27, when MU Health began notifying patients. However, the time frame went beyond the HIPAA-required 60 days between discovery and notification.
Less than a week after being notified, MU Health patient Penny Houston filed a lawsuit against MU Health. 19 other patients have since been added as claimants.
The lawsuit argues the breach puts victims at a higher risk of identity theft and diminished care received. And patients said they were overpaying for services from MU Health, as those services were meant to be paired with adequate security.
Further, the data compromised during the hack provides cybercriminals with the data necessary to create financial accounts under the patients’ names. As a result, the suit argues the breach of personal information will cause long-term issues for the impacted individuals, including the risk of hackers stealing their identities to take out loans, obtain medical services, or to file fraudulent tax returns.
The lawsuit also argued the victims are at a greater risk for phishing or future hacking and claim they’ll now need to closely monitor and guard their personal accounts from identity theft, and will need to use their own funds to freeze their credit reports and accounts, as well as the purchase of credit monitoring services.
The MU Health notification did not offer breach victims with free credit monitoring services. Plaintiffs are asking the court to require MU Health provide credit monitoring to all class-action lawsuit claimants.
The breach victims also asked MU Health be required to strengthen its data security and monitoring systems and submit to future system audits and procedures. Lastly, the lawsuit seeks reimbursement of any out-of-pocket costs, including attorney’s fees.
Health data breach-related lawsuits have increased as breaches have become more commonplace. But there has not been a standard for how decisions are handled. Most recently, a breach lawsuit against UnityPoint Health was partially dismissed, allowing plaintiffs to only pursue claims around negligence.
Similar lawsuits have been settled out of court, such as the recent Premera Blue Cross settlement over the 2014 breach impacting 10.6 million patients.
Date: August 19, 2019
Source: HealthITSecurity