HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UPMC Data Breach Not Grounds for Class Action Says Judge

A data breach suffered by the University of Pittsburgh Medical Center in 2014 does not give the victims grounds for a class action claim, even though there have been 817 reported cases of tax fraud as a direct result of the data breach.

Civil lawsuits filed against healthcare providers often fail because of a lack of evidence that the stolen data has been used inappropriately. Without any actual harm suffered, a claim is very unlikely to succeed. In this case, there was provable losses suffered by some of the victims, but it was not deemed to warrant a class action claim, at least not under the circumstances.

The data breach did not involve any patient data, although all 62,000 employees were affected. The initial data breach report stated only 27,000 individuals had been affected; however, that figure has since been expanded and the data breach is now believed to affect all 62,000 employees.

The breach affected the company’s payroll database and exposed highly sensitive information about the employees, including names, addresses, Social Security numbers, salary details and in some cases, bank account information.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The class action lawsuit, Dittman v. UPMC, that followed demanded compensation for the data breach as well as 25 years of credit monitoring services. UPMC has provided credit protection services via LifeLock, with the University now planning to offer extended coverage for a period of 5 years.

Class Action Failed, Appeal Likely


The class action lawsuit, filed by Attorney Michael Kraemer last year, claimed that UPMC breached its duty of care to protect the private and confidential data of employees, resulting in them being forced to live a life facing a higher risk of suffering identity and tax fraud. There is no doubt of the latter given the fact that so many breach victims have already discovered fraudulent tax refunds have been made in their names.

In Pennsylvania, there is no law that allows a civil cause of action against a company failing to keep confidential information secure. The case cited Seebold v. Prison Health Services; a lawsuit heard by the Pennsylvania Supreme Court in which the duty of care was discussed, and it was argued that UPMC did have a duty of care to protect its employees.

Common Pleas Judge, R. Stanton Wettick however, said the Seebold case was not relevant to the Dittman case, and “no cause of action exists for negligence that results solely in economic damages without the individual suffering physical injury or property damage.”

He also pointed out that should this case be allowed to proceed, the floodgates would be opened and the state’s judicial system would be swamped with negligence claims. He said, the “[The} courts will not adopt a proposed solution that will overwhelm Pennsylvania’s judicial system.”

While consumers are protected against fraudulent credit card purchases, in the case of IRS tax refunds, if someone else claims that money, there is no process for recovering those funds through the IRS. These clear losses were not the issue.

Wettick believed the issue to be whether UPMC should have implemented more robust security to protect the sensitive data of employees. Wettick decided that the protections in place were sufficient and there was no breach in duty.

No Private Right of Action in Pennsylvania for Keeping Data Secure


The Allegheny County Court judge issued a 14-page opinion detailing the reason why the claim was denied, in which he said “there was no meeting of the minds,” and that UPMC had not accepted liability for data breaches. He also said that had UPMC implemented an improved and more secure system to protect employee data, it “would not have necessarily prevented the health data breach.”

Had the data breach resulted from the loss of an unencrypted laptop computer, the failure to turn on a Firewall or another example of negligence, the lawsuit would be much more likely to be successful, certainly if it was filed on the grounds of negligence under federal laws. However, if it is unreasonable to expect a HIPAA-covered entity to have prevented a data breach, a claim for damages is still unlikely to prove successful.

According to Kraemer, “[the lawsuit] dealt with an emerging and still very unsettled area of law.” He also said “We disagreed with Judge Wettick’s decision and we think that ultimately another court could find otherwise.”

The Data Breaches Continue at UPMC


In May, UPMC announced it was the victim of another HIPAA data breach and was the first hospital to confirm that some of its patients had been affected by a data breach involving one of its business associates, Medical Management LLC. The company reported a breach involving 20,512 individuals after a member of staff stole data from the company’s billing department. 40 hospitals were affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.