Patients Filed a Lawsuit Against MU Health Over May 2019 Phishing Attack


The University of Missouri Health Care (MU Health) is facing a lawsuit over the phishing attack on April 2019.

MU Health discovered on May 1, 2019 that two employees’ email accounts were accessed without authorization beginning on April 23, 2019 up to a period of one week. The email accounts contained a variety of sensitive data which includes names, birth dates, Social Security numbers, medical insurance data, clinical and treatment details.

The investigation into the breach of MU Health concluded on July 27. The provider sent notification letters to the people who had their protected health information (PHI) compromised and possibly stolen. The breach impacted around 14,400 patients.

Penny Houston, a MU Health patient, filed the lawsuit about one week after the issuance of notification letters. The lawsuit alleges that the breach put the patients at a heightened risk of experiencing identity theft and fraud. Criminals could potentially use the types of information contained in the compromised email accounts for stealing identities, filing falsified tax returns, and opening financial accounts using the names of the victims.

Because of the exposure of personal data, breach victims could possibly deal with long-term problems and have to pay for the fees of credit monitoring and identity theft protection services, since MU Health did not offer such services.

The lawsuit likewise alleges that patients were paying for healthcare services and a percentage of that cost go toward securing their data. Considering that there was not enough security implemented, the plaintiffs assert they were paying more for healthcare services at MU Health.

No less than 19 other patients have joined the filing of the lawsuit. The plaintiffs want the reimbursement of their out-of-pocket expenditures sustained because of the breach and they want MU Health to pay for the beach victims’ credit monitoring services. Moreover, the plaintiffs would like MU Health to add more funds for improving its data security protection, monitoring systems, and implementing systems and procedure audits.