Judge rules UPMC should have protected employee data
The Pennsylvania Supreme Court last week revived an employee lawsuit against UPMC stemming from a data breach, ruling that companies must protect digitally stored employee data.
The UPMC health system is responsible for protecting the data it required its employees to provide, the court ruled. Employees sued the system for breach of contract after hackers stole the personal information of about 62,000 current and former employees. Hackers used the data—which included Social Security numbers, tax information, and bank account numbers—to file fraudulent tax returns and then to get the related tax refunds.
UPMC first confirmed the breach in February 2014 and that May concluded all employees were affected.
Two lower courts initially threw out the employees' lawsuit. But the state's high court said it must be reinstated because UPMC required its employees to provide the breached information. That collection creates certain risks—namely, that a hacker could get his hands on the data—and UPMC is responsible for protecting that data, according to the court.
"An employer has a legal duty to exercise reasonable care to safeguard its employees' sensitive personal information stored by the employer on an internet-accessible computer system," Justice Max Baer wrote in the opinion, explaining that UPMC broke its common-law duty to exercise "care" in protecting the information.
UPMC was not immediately available for comment.
The threat of healthcare data breaches continues to rise. Between Jan. 1, 2018, and Oct. 31, 2018, there were 306 data breaches reported to the Office for Civil Rights, the majority of which were classified as "hacking/IT incident." These incidents exposed the data of more than 5.7 million people. OCR does not make publicly available whether those people are patients, providers, employees or others.
Since the OCR began tracking breaches in late 2009, UPMC has reported four breaches—two of the overall health system, one of the health plan and one of UPMC Susquehanna. This does not include the most recent breach, which occurred in 2018 when phishing attacks exposed up to 790 patients' personal information.
Breaches can be costly for healthcare organizations. Each cyberattack costs, on average, nearly $4 million to recover from, according to the Ponemon Institute.
Send us a letter
Have an opinion about this story? Click here to submit a Letter to the Editor, and we may publish it in print.