Local

Rockhurst University is sued over data breach in phishing scam

A Rockhurst University spokesman said Monday that the university would not comment on the pending lawsuit, which says it was reckless and willful in exposing personal identification data in W-2 forms to phishing scammers last month.
A Rockhurst University spokesman said Monday that the university would not comment on the pending lawsuit, which says it was reckless and willful in exposing personal identification data in W-2 forms to phishing scammers last month. File photo

A Rockhurst University employee hopes to represent some 1,200 school staffers in seeking damages for a data breach last month.

Someone duped university staff into supplying information on IRS W-2 forms, including Social Security numbers, in an act of fraud April 4.

The lawsuit filed Thursday in Jackson County Circuit Court by Alexandria Stobbe said the university was willful and reckless in exposing the personal information in “flagrant disregard” for the employees’ rights to privacy and property.

The lawsuit is asking the court to allow a class-action litigation on behalf of all the affected employees.

University staff are at “an imminent, immediate and continuing increased risk of identity theft, identity fraud and medical fraud,” the lawsuit said. The university harmed them, it said, by failing to establish and implement appropriate administrative safeguards to protect the information.

A Rockhurst spokesman said the university would not comment on the pending lawsuit.

Last month, Rockhurst University President Thomas B. Curran said in a letter to employees that he was angry the institution had been victimized and that the university was working with the IRS to monitor any fraud from the action. The university also said it would provide free services to employees for two years to arrange protections of their credit cards and protect against identity theft.

The university reported last month that the fraud was committed by someone who impersonated a university administrator, requested W-2 information and provided a fake email address.

Curran said in his letter at the time that the university was taking steps to notify and train staff about data fraud schemes.

Stobbe’s lawsuit states that the fraud committed against the university has damaged employees’ peace of mind and personal security, compelling many of them to purchase credit card reporting services and Internet monitoring services, to purchase and review credit reports and bank statements, and to institute credit freezes or close accounts.

The employees “have suffered and will continue to suffer such damages for the foreseeable future,” it said.

The theft of Social Security numbers presents a particularly difficult process for those who may need to get them changed, the lawsuit added.

The employees also have been deprived of the value of their personal information, which many services collect and sell to solicitors and other users.

The lawsuit seeks actual, unspecified amounts of damages, plus legal fees.

  Comments