UPMC Data Breach Trial Reinstated by Pennsylvania Supreme Court

Nov 30, 2018


Litigation filed by workers affected by a data breach at the University of Pennsylvania Medical Center (UPMC) has been revitalized by the Pennsylvania Supreme Court.

The litigation was filed after hackers stole the information of roughly 62,000 current and former UPMC workers in a data breach noticed by UPMC in February 2014. The stolen information included names, tax information, Social Security numbers, addresses, and bank account numbers. The information was used to file fake tax returns in workers’ names to get tax refunds.

According to the charge, “As a consequence of UPMC’s negligence, workers incurred damages relating to falsely filed tax returns and are at an increased and impending risk of becoming sufferers of identity theft crimes, scam, and misuse.”

UPMC contended that there is no cause of action for carelessness as no property damage or physical injury was alleged by its workers. In Pennsylvania, no cause of action exists for carelessness that only leads to economic losses.

The claim was thrown out by two lower courts; however, last week the claim was reinstated by the state’s high court. Justice Max Baer wrote in the judgment that UPMC had a responsibility to tackle dangers that arise from the collection of confidential data and had a legal duty to safeguard confidential information provided by its workers. UPMC breached its common-law responsibility to exercise practical care and protect information saved on an Internet-accessible computer system. All six Supreme Court judges agreed that UPMC was in charge of safeguarding the confidential data of its workers.

Baer verified that “Under Pennsylvania’s economic loss policy, recovery for purely financial damages is allowable under a negligence theory provided that the accuser can establish the defendant’s breach of a legal responsibility arising under common law that is independent of any duty supposed pursuant to the agreement.”

The case will now return to the lower court for review. If UPMC is found to have been careless, UPMC might be required to pay monetary damages to workers who suffered economic losses as a consequence of the data breach.