The Pennsylvania Supreme Court has agreed to hear a case stemming from a 2014 data breach at the University of Pittsburgh Medical (UPMC) that exposed personal information of nearly 62,000 employees.
The high court will decide whether UPMC has a legal responsibility to safeguard the personal information of its employees when those employees choose to store that information on a network-enabled computer and whether employees are allowed to seek monetary damages following a breach, according to an order (PDF) posted by the court last week.
The controversial case has snaked its way through the state court system after employees sued the health system for negligence and breach of contract. An initial 2015 judgment by a Pennsylvania Common Pleas Court ruled that UPMC was not responsible for keeping their information safe.
The Superior Court of Pennsylvania upheld (PDF) that decision in January, noting that employees gave up their information for employment purposes with no implied agreement that the health system would keep that information safe.
The state Supreme Court’s order comes as an insurer in another data breach class action lawsuit is seeking legal clarification from the U.S. Supreme Court. CareFirst is in the process filing an appeal with the high court to determine whether the prospect of future harm associated with a data breach is enough to warrant legal action. Alan Butler, senior counsel at the Electronic Privacy Information Center in Washington D.C., told FierceHealthcare that if the Supreme Court agrees to take the case, it would be "one of the most important cybersecurity cases ever heard in the Court.”
Amid mounting cyber threats, providers and insurers are finding that data breaches carry significant legal costs. Earlier this year, Anthem agreed to pay $115 million to settle a class action lawsuit following a 2015 data breach that comprised information for nearly 80 million members.