HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UPMC Data Breach Lawsuit Reinstated by Pennsylvania Supreme Court

A lawsuit filed by employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) has been revived by the Pennsylvania Supreme Court.

The lawsuit was filed after hackers stole the information of approximately 62,000 current and former UPMC employees in a data breach discovered by UPMC in February 2014. The stolen information included names, addresses, Social Security numbers, tax information, and bank account numbers. The information was used to file fraudulent tax returns in employees’ names to receive tax refunds.

According the lawsuit, “As a result of UPMC’s negligence, employees incurred damages relating to fraudulently filed tax returns and are at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse.”

UPMC argued that there is no cause of action for negligence as no property damage or physical injury was alleged by its employees. In Pennsylvania, no cause of action exists for negligence that solely results in economic losses.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The lawsuit was thrown out by two lower courts; however, last week the lawsuit was reinstated by the state’s high court. Justice Max Baer wrote in the opinion that UPMC had a responsibility to address risks that arise from the collection of sensitive data and had a legal duty to protect sensitive information provided by its employees. UPMC breached its common-law duty to exercise reasonable care and safeguard information stored on an Internet-accessible computer system. All six Supreme Court judges agreed that UPMC was responsible for protecting the sensitive data of its employees.

Baer confirmed that “Under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract.”

The case will now return to the lower court for review. If UPMC is found to have been negligent, UPMC may be required to pay monetary damages to employees who suffered economic losses as a result of the data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.