MU Health Care Settles Data Breach Lawsuit for $8 Million

January 10, 2025HIPAA News0

University of Missouri Health Care (MU Health Care) has decided to pay $8 million to settle a class action lawsuit associated with a data breach in 2020 that allowed unauthorized persons to get access to staff email accounts that contain patients’ protected health information (PHI).

MU Health Care is facing two lawsuits filed because of an email breach. On October 9, 2020, MU Health Care patient Casey Bumbales filed the first lawsuit. On January 20, 2021, patient Amanda Kunkelman filed the second lawsuit. The two had their sensitive information exposed in the phishing attack. Because the lawsuits had identical charges and were determined by the same information, they were combined into one action. The Bumbales, et al. v. Curators of the University of Missouri, d/b/a MU HEALTH CARE lawsuit was filed in Boone County’s Circuit Court in the Missouri Circuit Division.

Because of an email phishing attack, the threat actor accessed email accounts from May 4, 2020 to May 6, 2020. MU Health Care submitted the breach report to the HHS Office for Civil Rights indicating that 189,736 individuals were affected. In June 2020, OCR also received an email breach report indicating that 5,074 individuals were affected and another 14,402 individuals were affected in 2019. The lawsuits assert that MU Health Care did not implement reasonable and proper security measures to protect against phishing attacks. If those security measures had been applied, the breach should have been avoided. The lawsuits assert that MU Health care was negligent, particularly when a phishing attack happened in 2019 that compromised patient information.

According to the terms of the settlement, class members who received a breach notification letter can choose from two benefits. They may file a claim for compensation of recorded out-of-pocket costs and losses resulting from the data breach and about three hours of lost time valued at $25 per hour up to $150 maximum claim amount for each class member. Otherwise, class members could opt for a fixed $60 cash payment. The settlement likewise calls for MU Health Care to have all email accounts enabled with multifactor authentication.

The last day for objection, exclusion, and filing claims is January 14, 2024. The schedule of the final approval hearing is on February 3, 2025.

About Thomas Brown
Thomas Brown worked as a reporter for several years on ComplianceHome. Thomas is a seasoned journalist with several years experience in the healthcare sector and has contributed to healthcare and information technology news publishers. Thomas has a particular interest in the application of healthcare information technology to better serve the interest of patients, including areas such as data protection and innovations such as telehealth. Follow Thomas on X https://x.com/Thomas7Brown

ComplianceHome is a registered trademark. Copyright © 2025 ComplianceHome. All rights reserved.