St. Louis University has reached an agreement in a class-action lawsuit filed after a data breach exposed patients’ and students’ personal information.
Four people sued SLU and health provider SSM last year in St. Louis Circuit Court, alleging the organizations took part in a “willful and reckless violation of privacy rights.”
Those who can prove they were affected by the data breach could get up to $2,500.
St. Louis University suffered a data breach of records between December 2022 and July 2023, according to the website set up by the settlement’s claims administrator.
Personal information exposed could include dates of birth, driver's license numbers and medical information.
SLU representatives became aware of the suspicious activity in March 2023. According to the Maine attorney general’s office, more than 93,000 people could have been affected. (Maine’s attorney general published a notice of the data breach after one of the state’s residents was affected.)
The plaintiffs and SLU decided to settle the case earlier this year. As part of the settlement, SLU does not admit liability but is making up to $2 million available to those affected.
A court will need to give final approval to the terms of the settlement, which include a $2,500 payment if the plaintiff can prove documented losses because of the data breach. People could also claim a $100 flat sum even if they can’t prove direct losses.
The settlement also provides for one year of credit monitoring for those affected.
In order to receive benefits, people must first submit a claim on the official website for the data breach.
Legal representatives have already sent notices to people who are eligible.
“We are pleased to have reached a mutually agreeable settlement,” SLU spokesman Clayton Berry said in an email.
“SLU was the victim of a criminal phishing attack in March 2023 that resulted in unauthorized access to a very small number of University email accounts,” he said. “To date, there has been no evidence of personal information being misused for fraudulent purposes.”
The university has strengthened its data security since the breach, he said.
