- The Pennsylvania Supreme Court ruled last week that the University of Pittsburgh Medical Center is responsible for protecting personal employee data from hackers: The latest in a lengthy class-action lawsuit filed by UPMC employees against the health system in 2014.
The decision overturns two initial rulings from lower courts that initially threw out the case.
UPMC employees sued the health system in 2014 for breach of contract, after a breach of employee data. Hackers stole the personal information, including bank account data, Social Security numbers and tax information, and proceeded to use the data to file fraudulent tax returns to receive tax refunds.
The health system confirmed the breach in February 2014 and concluded all employees were impacted by the hack.
The latest ruling from the state’s high court stated that UPMC is responsible, as the employees were required to provide the health system with the data that was subsequently stolen by the cybercriminals.
According to the suit, the employees alleged that providing the data created a duty for UPMC to design, maintain and sustain the testing of its security systems to make sure that data was “adequately protected.”
“As a result of UPMC’s negligence, employees ‘incurred damages relating to fraudulently filed tax returns’ and are ‘at an increased and imminent risk of becoming victims of identity theft crimes, fraud and abuse,” according to the lawsuit.
In its defense, UPMC argued the “negligence claim failed as a matter of law.”
“Specifically, UPMC argued that no cause of action exists for negligence because employees did not allege any physical injury or property damage and, under the economic loss doctrine, ‘no cause of action exists for negligence that results solely in economic damages unaccompanied by physical injury or property damage,” the suit argued.
The judge sided with employees and granted discretionary review of the case, stating the collection of data creates risk and UPMC is responsible for protecting the data.
In his written opinion, Justice Max Baer wrote: “We hold that an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet-accessible computer system.”
“Under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract,” Baer added.
As a result of vacating the lower court decisions, the trial court’s decision has been reversed and the case will now head back to the lower court for review.