UPMC Data Breach Not Grounds for Class Action Says Judge
A data breach suffered by the University of Pittsburgh Medical Center in 2014 does not give the victims grounds for a class action claim, even though there have been 817 reported cases of tax fraud as a direct result of the data breach.
Civil lawsuits filed against healthcare providers often fail because of a lack of evidence that the stolen data has been used inappropriately. Without any actual harm suffered, a claim is very unlikely to succeed. In this case, there was provable losses suffered by some of the victims, but it was not deemed to warrant a class action claim, at least not under the circumstances.
The data breach did not involve any patient data, although all 62,000 employees were affected. The initial data breach report stated only 27,000 individuals had been affected; however, that figure has since been expanded and the data breach is now believed to affect all 62,000 employees.
The breach affected the company’s payroll database and exposed highly sensitive information about the employees, including names, addresses, Social Security numbers, salary details and in some cases, bank account information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The class action lawsuit, Dittman v. UPMC, that followed demanded compensation for the data breach as well as 25 years of credit monitoring services. UPMC has provided credit protection services via LifeLock, with the University now planning to offer extended coverage for a period of 5 years.
Class Action Failed, Appeal Likely
The class action lawsuit, filed by Attorney Michael Kraemer last year, claimed that UPMC breached its duty of care to protect the private and confidential data of employees, resulting in them being forced to live a life facing a higher risk of suffering identity and tax fraud. There is no doubt of the latter given the fact that so many breach victims have already discovered fraudulent tax refunds have been made in their names.
In Pennsylvania, there is no law that allows a civil cause of action against a company failing to keep confidential information secure. The case cited Seebold v. Prison Health Services; a lawsuit heard by the Pennsylvania Supreme Court in which the duty of care was discussed, and it was argued that UPMC did have a duty of care to protect its employees.
Common Pleas Judge, R. Stanton Wettick however, said the Seebold case was not relevant to the Dittman case, and “no cause of action exists for negligence that results solely in economic damages without the individual suffering physical injury or property damage.”
He also pointed out that should this case be allowed to proceed, the floodgates would be opened and the state’s judicial system would be swamped with negligence claims. He said, “[The} courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.”
While consumers are protected against fraudulent credit card purchases, in the case of IRS tax refunds, if someone else claims that money, there is no process for recovering those funds through the IRS. These clear losses were not the issue.
Wettick believed the issue to be whether UPMC should have implemented more robust security to protect the sensitive data of employees. Wettick decided that the protections in place were sufficient and there was no breach of duty.
No Private Right of Action in Pennsylvania for Keeping Data Secure
The Allegheny County Court judge issued a 14-page opinion detailing the reason why the claim was denied, in which he said “there was no meeting of the minds,” and that UPMC had not accepted liability for data breaches. He also said that had UPMC implemented an improved and more secure system to protect employee data, it “would not have necessarily prevented the health data breach.”
Had the data breach resulted from the loss of an unencrypted laptop computer, the failure to turn on a Firewall or another example of negligence, the lawsuit would be much more likely to be successful, certainly if it was filed on the grounds of negligence under federal laws. However, if it is unreasonable to expect a HIPAA-covered entity to have prevented a data breach, a claim for damages is still unlikely to prove successful.
According to Kraemer, “[the lawsuit] dealt with an emerging and still very unsettled area of law.” He also said “We disagreed with Judge Wettick’s decision and we think that ultimately another court could find otherwise.”
The Data Breaches Continue at UPMC
In May, UPMC announced it was the victim of another HIPAA data breach and was the first hospital to confirm that some of its patients had been affected by a data breach involving one of its business associates, Medical Management LLC. The company reported a breach involving 20,512 individuals after a member of staff stole data from the company’s billing department. 40 hospitals were affected.
