HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UPMC Settles Employee Data Breach Lawsuit for $2.65 Million

UPMC has proposed a $2.65 million settlement to resolve a data breach lawsuit filed by employees affected by a February 2014 data breach.

Pittsburg, PA-based UPMC announced the data breach in February 2021 and initially believed the attackers had only obtained the tax-information of a few hundred of its employees; however, in April 2014, UPMC determined that the breach was far more extensive and had affected 27,000 of its 66,000 employees. In May 2014, UPMC confirmed that the personal data of all of its employees had likely been compromised.

The data compromised in the attack included names and Social Security numbers, some of which were used by the attackers to file fraudulent tax returns. Four individuals involved in the cyberattack have been charged and pleaded guilty to tax fraud and identity theft charges. They attempted to obtain around $2.2 million in tax refunds and received $1.7 million from the IRS.

Under the terms of the settlement, current and former employees whose personal information was compromised in the data breach will be able to submit claims for fraud-related losses and claim reimbursement for time spent preventing losses. The 66,000 class members will be able to claim up to $250 as reimbursement for fraud-related inconveniences or submit a claim for up to $5,000 as reimbursement for out-of-pocket losses related to identity theft or fraud. Any class member who does not file a claim will receive a payment of between $10 and $20. UPMC will establish a $1.68 million settlement fund and will pay up to $200,000 to a settlement administrator. UPMC will also cover court costs and attorneys’ fees.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

The settlement also requires UPMC to implement a range of cybersecurity measures to improve security and ensure the personal data of employees is protected. Those measures include undergoing a third-party security assessment, adding additional cybersecurity professionals to its security team, improving authentication measures, increasing the use of encryption, ensuring compliance with cybersecurity best practices, disabling all unnecessary and unused services, and updating its system security plans. The settlement does not require UPMC to implement additional cybersecurity measures that have not already been taken in response to the breach.

UPMC has not admitted liability for the breach. The decision to settle the lawsuit was made to prevent further expense, inconvenience, and the distraction of burdensome and protracted litigation. A motion for preliminary approval of the settlement was filed on July 15.

It has taken a long time for a settlement to be reached. In 2015, a trial court dismissed the plaintiffs’ negligence claim; however, that decision was reversed by the Pennsylvania Supreme Court in November 2018 when the court declared employers have a Common Law duty to implement reasonable safeguards to protect the personal information of employees.

“We are pleased that we’ve been able to negotiate a proposed resolution with UPMC that will provide meaningful relief to those who suffered financial losses, increased risks of fraud and other inconveniences when their data was compromised,” said the plaintiffs’ attorney, Jamisen Etzel.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.