Help

BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

University’s medical centers must face data breach suit

Reprints
University’s medical centers must face data breach suit

The Pennsylvania Supreme Court has overturned lower court rulings and held that employees can pursue a negligence claim against two University of Pennsylvania medical centers in connection with a data breach.

In 2014, employees of the University of Pittsburgh Medical Center and the University of Pennsylvania Medical Center McKeesport filed suit charging negligence and a breach of an implied contract claim in connection with a data breach, according to the Nov. 21 ruling by the Pennsylvania Supreme Court in Harrisburg in Barbara A. Dittman et al. v. UPMC D/B/A the University of Pittsburgh Medical Center, and UPC McKeesport.

The employees said personal and financial information, including names, birth dates, Social Security numbers, addresses, tax forms and bank account information on all 62,000 University of Pennsylvania Medical Center employees and former employees, was accessed and stolen. They said this information was then used to file fraudulent tax returns on behalf of the victimized employees, resulting in actual damages.

Two lower courts dismissed the case, which the Supreme Court reinstated. The six judges on the state’s high court unanimously ruled the medical center owed a duty to its employees.

“Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach,” the ruling said. “Thus, we agree with Employees that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.

“Further, to the extent that UPCMC argues that the presence of third-party criminality in this case eliminates the duty it owes to Employees, we do not agree,” said the ruling.

“The criminal acts of third parties in executing the data breach do not alleviate UPC of its duty to protect Employees’ personal and financial information from that breach,” the ruling said.

The ruling also held that the economic loss doctrine does not preclude “any negligence claims seeking solely economic damages.” Two of the six judges disagreed as to the basis of the ruling on this issue.

The case was remanded for further proceedings.

 

Read Next