St. Louis University and SSM Health Saint Louis University Hospital (SSM-SLUH) agreed to settle a class action lawsuit involving a data breach in 2023. The terms of the settlement required a $2 million fund to pay for claims, attorneys’ service fees, and legal expenses.
St. Louis University discovered suspicious activity inside its email account system in March 2023. Based on the investigation, a cybercriminal group gained access to some worker email accounts after conducting a phishing attack. The attacker got unauthorized access to the accounts from December 2022 to July 2023. Despite the unauthorized access, St. Louis University did not find evidence to suggest the misuse of compromised data protected by HIPAA laws.
The compromised email accounts included the protected health information (PHI) of students, workers, and hospital patients, namely: names, phone numbers, addresses, birth dates, passport numbers, Social Security numbers, driver’s license numbers, electronic signatures, medical insurance data, and medical details. The data of up to 93,000 people were potentially stolen during the incident.
Four individuals whose PHI was exposed during the email account breach filed the M.W, et al., v. St. Louis University, et al lawsuit in the Circuit Court for St. Louis City, Missouri, individually and on behalf of other individuals with similar situations. The lawsuit mentioned a few claims, such as negligence for failing to secure sensitive information as a result of insufficient acceptable and proper safety measures. The defendants did not admit to doing any wrongdoing; nevertheless, St. Louis University reached a settlement agreement to end the litigation without admitting wrongdoing or liability.
The court has given preliminary approval of the settlement, allowing the filing of claims for refund of recorded, unreimbursed expenses accrued due to the data breach up to $2,500 per claimant. Furthermore, all class members could claim a $100 cash payment. The amount is going to be adjusted according to the number of claims filed and could be more or less than $100. Class members could claim credit monitoring and identity theft protection services for one year. The defendants likewise committed to the implementation of extra safety measures to better protect their digital system.
May 27, 2025 is the last day for class members to file an exclusion from or objection to the settlement. Class members can submit claims on or before June 13, 2025. The schedule of the final approval hearing is June 26, 2025.
Image credit: Kit Leong, AdobeStock
