The University of Pittsburgh Medical Center has agreed to pay up to $2.65 million to settle a proposed class-action related to a 2014 data breach, according to a preliminary approval motion filed last week and shared with Modern Healthcare.
The settlement would end a lawsuit UPMC employees filed in a Pennsylvania state court in 2014, seeking to represent the workers who were employed by UPMC whose information was potentially compromised in the 2014 data breach, in which a hacker gained access to personal data on an estimated 66,000 current and former UPMC employees.
Hackers used the data—which included Social Security numbers, tax information and bank account numbers—to file fraudulent tax returns and then to get the related tax refunds.
A 29-year-old man in Michigan last year was arrested for the crime, including allegedly hacking into UPMC's human resources database to steal and sell employee data. The scheme, which involved selling data from UPMC and other sources, resulted in roughly $1.7 million in false tax return refunds, according to the U.S. Attorney's Office for the Western District of Pennsylvania.
Plaintiffs in their 2014 complaint accused UPMC of breach of contract, which was thrown out by two lower courts but was reinstated by the Pennsylvania Supreme Court in 2018.
Under the proposed settlement, UPMC will pay nearly $1.7 million to establish a settlement fund and up to $200,000 to a settlement administrator, as well as other court and attorney's fees.
UPMC employees included in the proposed settlement class will be able to submit claims for up to $5,000 as reimbursement for losses from fraud or identity theft or up to $250 as reimbursement for "fraud-related inconveniences," according to the preliminary approval motion.
Members of the class who don't submit claims will receive an equal portion of remaining money in the settlement fund after approved claims and administration costs have been paid.
The equal portions paid to class members who don't submit claims are expected to be $10 to $20, according to the preliminary approval motion.
UPMC did not immediately respond to a request for comment. The health system in the proposed settlement denies any wrongdoing.
"UPMC has agreed to enter into this settlement solely to avoid the further expense, inconvenience, and distraction of burdensome and protracted litigation and to be completely free of any further claims that were asserted or could have been asserted in the litigation," the proposed settlement agreement reads.
