University of Pittsburgh Medical Center Settles Data Breach Lawsuit for $450,000
University of Pittsburgh Medical Center has agreed to settle a class action data breach lawsuit and will make $450,000 available to cover claims from individuals who have suffered losses due to the theft and misuse of their protected health information.
The data breach affected approximately 36,000 patients and saw their protected health information accessed and stolen by an unauthorized third party between April 2020 and June 2020. The breach occurred at UPMC’s legal counsel, Charles J. Hilton PC, (CJH), which provided billing-related services. The compromised data was stored within the firm’s email environment and included names, birth dates, Social Security numbers, financial information ID numbers, signatures, insurance information, and medical information. The data breach was detected in June 2020; however, notifications were not sent to affected individuals until December 2020.
While many speculative lawsuits are filed against healthcare organizations and their business associates over the exposure of patient data, in this case, the plaintiff was defrauded soon after the breach, which was, on the balance of probability, due to his information being stolen in the data breach at CJH. An Amazon credit card account had been opened in his name. The plaintiff claimed he had to spend a considerable amount of time addressing the misuse of his personal and protected health information. The lawsuit alleged UPMC and CJH failed in their duty to protect patient data and had not implemented reasonable and appropriate safeguards to protect their private data.
Neither UPMC nor CJH admitted any wrongdoing or liability but agreed to settle the lawsuit. Under the terms of the settlement, class members are entitled to make a claim for a $250 cash payment as reimbursement for documented out-of-pocket expenses related to the data breach and may submit claims for up to $2,500 to recover fraudulent charges and costs related to identity theft, plus $30 for undocumented time spent dealing with the breach. 12 months of complimentary credit monitoring, identity theft, and dark web monitoring services will also be provided to class members. Claims must be submitted no later than September 3, 2022.
Last year, UPMC settled a long-running lawsuit for $2.65 million. The lawsuit was filed on behalf of 27,000 employees affected by a February 2014 data breach.