Share this article on:
A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court.
The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds.
According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”
UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses.
The lawsuit was thrown out by two lower courts; however, last week the lawsuit was reinstated by the state’s high court. Justice Max Baer wrote in the opinion that UPMC had a responsibility to address risks that arise from the collection of sensitive data and had a legal duty to protect sensitive information provided by its employees. UPMC breached its common-law duty to exercise reasonable care and safeguard information stored on an Internet-accessible computer system. All six Supreme Court judges agreed that UPMC was responsible for protecting the sensitive data of its employees.
Baer confirmed that “Under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”
The case will now return to the lower court for review. If UPMC is found to have been negligent, UPMC may be required to pay monetary damages to employees who suffered economic losses as a result of the data breach.