Pennsylvania Supreme Court Reinstates UPMC Data Breach Lawsuit

The employees affected by a data breach at University of Pennsylvania Medical Center (UPMC) took legal action against their employer for the exposure of their personal information, but the lawsuit was rejected; however, the Pennsylvania Supreme Court has reinstated the lawsuit.

The employees filed the lawsuit following the theft of data of 62,000 present and past employees of UPMC during a data breach that was discovered in February 2014. The compromised information included employees’ names, addresses, tax details, Social Security numbers and bank account numbers. The hacker used the information to file falsified tax returns in the names of the employees to receive tax refunds.

The lawsuit alleged that UPMC was negligent and failed to implement appropriate safeguards to protect the privacy of their sensitive data and that, as a direct result of that negligence, the plaintiffs suffered damages through fraudulently submitted tax returns. Further, that they face a greater and impending risk of being victimized by identity theft crimes, scams and abuse.

UPMC argued that there is no cause of action for negligence because the employees did not allege any property damage or physical injury. In Pennsylvania, there is no cause of action for negligence resulting in economic losses alone.

Two lower courts threw out the lawsuit; however, the state’s high court has now reinstated the lawsuit. Justice Max Baer stated that UPMC had an obligation to mitigate risks that are introduced by the collection of sensitive data and had a legal responsibility to protect employees’ sensitive information. UPMC violated its common-law duty of exercising reasonable care and protecting data stored on a computer system that is remotely accessible. Six Supreme Court judges decided that UPMC had a responsibility to safeguard employees’ sensitive data.

Baer also confirmed that Pennsylvania’s economic loss doctrine allows the recovery of pecuniary damages under a negligence theory only if the plaintiff can prove that the defendant’s violation of a legal duty arose under common law that is independent of any duty assumed pursuant to contract.

The case will be returned to the lower court for re-evaluation. In case UPMC is determined to have been negligent, UPMC might need to pay financial damages to employees who experienced economic losses because of the data breach.