St. Louis University has agreed to a $2 million settlement in a class-action lawsuit over a data breach that exposed personal information of more than 93,000 people, offering compensation and credit monitoring to those affected.
St. Louis University (SLU) has agreed to settle a class-action lawsuit stemming from a data breach that exposed the personal information of thousands of patients and students. The breach, which occurred between December 2022 and July 2023, included sensitive data such as birth dates, driver’s license numbers, and medical details. More than 93,000 people may have been affected, according to the Maine attorney general’s office.
See also: What are the 18 PHI identifiers?
The lawsuit, filed in St. Louis Circuit Court last year by four plaintiffs, accused SLU and its health provider partner, SSM Health, of a “willful and reckless violation of privacy rights.” As part of the settlement, SLU will make up to $2 million available to affected individuals. Those who can prove documented losses due to the breach could receive up to $2,500, while others may qualify for a flat $100 payment. The agreement also includes a year of free credit monitoring for impacted individuals. As part of the agreement, SLU has not admitted wrongdoing but agreed to the settlement to avoid prolonged litigation. A court must still give final approval to the settlement.
“We are pleased to have reached a mutually agreeable settlement,” SLU spokesman Clayton Berry said in a statement, quoted by the St. Louis Public Radio. “SLU was the victim of a criminal phishing attack in March 2023 that resulted in unauthorized access to a very small number of University email accounts. To date, there has been no evidence of personal information being misused for fraudulent purposes.”
The breach demonstrates the growing threat of cyberattacks on educational and healthcare institutions, where large volumes of personal data are stored. Victims of data breaches can suffer financial and emotional harm, including identity theft and credit damage. By offering compensation and credit monitoring, the settlement provides some relief and accountability, though the long-term effects for those affected remain uncertain.
SLU is offering up to $2,500 in compensation and free credit monitoring to those impacted by a data breach that may have exposed the personal information of over 93,000 individuals. Those eligible must file a claim through the official settlement website, as final court approval of the agreement is still pending.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A data breach is an incident where unauthorized individuals gain access to sensitive, confidential, or protected personal information.
See also: Types of breaches
Eligible individuals are usually notified by mail or email, or they can check an official settlement or claims website for more information.
A class-action settlement resolves legal claims brought on behalf of a group of people with similar complaints, often without going to trial.
Compensation may vary, but can include monetary payments, reimbursement for losses, and access to services like credit monitoring.