University of Michigan Maintained Private Data in 'Reckless Manner': Class Action
An August data breach at the University of Michigan led to unauthorized access of personal data of students, applicants, alumni, donors, employees, contractors, research study participants and patients, alleged a class action Wednesday (docket 5:23-cv-12783) in U.S. District Court for Eastern Michigan in Ann Arbor.
Private information compromised in the breach includes Social Security, driver’s license, other government-issued ID, financial account and payment card numbers, plus health, health insurance and University Health Service and School of Dentistry clinical information, said the complaint. Health information included patient medical numbers, diagnoses, treatment and medication history, plus information related to participation in certain research studies, it said. Most information compromised in the breach is protected under the Health Insurance Portability and Accountability Act, it said.
The university maintained the private information in a “reckless and negligent manner” that left its computer system and network in a condition “vulnerable to cyberattacks,” said the complaint. The mechanism of the cyberattack and potential for improper disclosure were known risks to the university, making the defendant “on notice that failing to take steps necessary to secure” plaintiff’s and class members’ private information from the risks left the network “in a dangerous condition.” Due to recent high-profile data breaches at other educational institutions and at healthcare companies, the university should have known its electronic records “would be targeted by cybercriminals and data thieves,” it said.
Though the university learned of the network security incident between Aug. 23 and Aug. 27, it didn’t notify plaintiff Ari Givony of Plantation, Florida, or class members of the breach until Oct. 23, the complaint said. Givony provided the university her private information via an online form for a research study with the expectation that it would be “safeguarded against cyberattacks and foreseeable theft and not disclosed for unauthorized purposes,” it said.
Upon information and belief, the university will continue to maintain copies of Givony’s and class members private information on its computers and network, said the complaint. The university has over 32,000 undergraduate students enrolled in the current school year and employs about 35,000 individuals, it said.
The University of Michigan’s privacy policy states that it limits who has access to personal information in its possession “to only those who need it for a legitimate, specific purpose” and that it will protect that information through “appropriate physical and technical security measures tailored to the sensitivity of the personal data” it holds, said the complaint. Givony relied on the university to keep her private information confidential and “securely maintained,” to use it for “business and health purposes only" and to make only authorized disclosures of the data to third parties, it said.
Givony suffered fear, anxiety and stress as a result of the breach, said the complaint. She has lost sleep and time and has experienced annoyance and inconvenience arising from the increased risk of fraud and identity theft, and she will have to spend “significant amounts of time” monitoring her medical accounts and private information for misuse, it said.
Many victims suffered “ascertainable losses” such as out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the data breach, said the complaint. The university offered Givony and class members 12 months of free credit monitoring services resulting from the breach, “insufficient to repair the damage” the university has caused, it said.
In addition to negligence and negligence per se, the class action asserts invasion of privacy, unjust enrichment, breach of implied and express contract and breach of fiduciary duty. Givony seeks equitable relief enjoining the university from engaging in the wrongful conduct described; requiring it to protect, through encryption, all data collected in the course of its business according to industry standards; requiring it to delete and destroy the personal identifying information of victims; requiring it to maintain a comprehensive information security program; and requiring it to educate all class members about the threats they face.
Givony seeks awards of actual, statutory, nominal and consequential damages, attorneys’ costs and legal fees, plus pre- and post-judgment interest. The University of Michigan didn’t comment Thursday.