A class-action lawsuit filed Tuesday demands a jury trial and seeks compensatory damages and other relief after an MU Health Care data breach left public health information of thousands of patients vulnerable.
On Friday, MU Health Care revealed that around 14,400 patients’ personal information was accessed through the email accounts of at least two employees between April 23 and May 1. Some Social Security numbers, health insurance, medical and other protected health information were compromised. MU Health Care has no indication that the person who accessed the information viewed or misused it, according to previous Missourian reporting.
Penny Houston of Smithton is the lead plaintiff in the suit, which was filed in Boone County Circuit Court on Tuesday. Attorney A.W. Smith said at least 20 other claimants have already joined in the class action.
The claimants issued a list of grievances in the petition. They said the data breach put patients at a higher risk of identity theft, further compromised their information and diminished the value of services received from MU Health Care.
The plaintiffs are asking that MU Health Care strengthen its data security systems and monitoring procedures, submit to future annual audits of those systems and procedures and immediately provide free credit monitoring to all class members, according to the petition.
Class members believe they were overpaying for services that were intended to be paired with adequate data security.
Smith, of the A.W. Smith Law Firm, is one of three lawyers representing the claimants. He said in a Thursday interview that protected health information, which he and the lawsuit call PHI, gives data thieves all the information they need to financial accounts in the claimants’ names.
“On the black market, PHI is much more valuable” than other types of personal information, Smith said.
He said that once personal information is breached, it can cause long-term problems for affected patients.
“The sensitive information is such a valuable commodity to identity thieves that once the information has been compromised, criminals often sell it on the cyber ‘black-market’ or ‘dark web’ indefinitely,” the petition reads. “Cyber criminals routinely post stolen Social Security numbers, financial information, medical information, and other sensitive personal information on anonymous websites, making the information widely to a criminal underworld. There is an active and robust market for this information.”
The petition says those whose information was compromised face the possibility that data thieves can use their names to take out loans, to obtain medical services or driver’s licenses, or to file fraudulent tax returns. They can also target them through phishing attacks and hacking.
To combat that, the petition says, claimants will have to closely monitor their financial accounts to guard against identity theft and may have to spend their own money to buy credit-monitoring services or to freeze their credit reports and accounts.
Smith said he had no estimate what the amount of compensatory and consequential damages in the case might be. The claimants also are seeking reimbursement for any out-of-pocket expenses they incur as well as attorney’s fees and costs.
Jesslyn Chew, spokesperson for MU Health Care, sent a statement to the Missourian by email after it inquired about the lawsuit.
“MU Health Care remains committed to protecting the security and confidentiality of our patients’ information. Upon learning of this incident, we conducted a thorough investigation using a third-party forensics firm,” Chew said. “We have no indication that any patient data was actually viewed by an unauthorized individual or that such data has been misused. However, we are notifying potentially impacted individuals and suggesting steps they can take in response to this incident.”
The date for the trial has not been set. Circuit Judge Brouck Jacobs has been assigned to the case.