MU Health Faces Lawsuit Over Phishing Attack in May 2019

Because of a phishing attack on April 2019, the University of Missouri Health Care (MU Health) is charged with a lawsuit.

MU Health found out on May 1, 2019 the one week unauthorized access of two employees’ email accounts starting on April 23, 2019. The email accounts stored sensitive information such as names, Social Security numbers, birth dates, health insurance details, clinical and treatment information.

The MU Health breach investigation ended on July 27, after which the company notified all the people whose protected health information (PHI) were exposed and likely stolen. The breach affected 14,400 patients more or less.

Penny Houston is the MU Health patient who filed the legal case a week after the sending of breach notification letters. Allegedly, the breach placed the patients at high risk of identity theft and fraud. The types of data contained in the compromised account can be used by criminals for identity theft, filing of fraudulent tax returns, and creating financial accounts under the victims’ names.

Due to the personal data exposure, it is possible that breach victims would have long-term problems. Since MU Health did not provide free credit monitoring and identity theft protection services, the victims will likely pay for the fees.

The lawsuit also alleges that since patients paid for their healthcare services, part of the cost should have covered data security. Not having sufficient security protection means the patients made overpayment to MU Health, according to the plaintiffs.

19 more patients have added their names as plaintiffs to the filed lawsuit. The plaintiffs are seeking a return of their out-of-pocket expenditures that directly resulted from the breach. MU Health should also pay the identity theft and credit monitoring fees for the breach victims. In addition, the plaintiffs want more funds to be given by MU Health toward its data security protection,  monitoring systems, and audit of systems and procedures.

About Christine Garcia 1297 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at