Pennsylvania Supreme Court to hear UPMC data breach case involving employee information

justice scales and gavel
The Pennsylvania Supreme Court will weigh in on a data breach case, adding to a growing portfolio of legal decisions. (Credit: Getty/BrianAJackson)

The Pennsylvania Supreme Court has agreed to hear a case stemming from a 2014 data breach at the University of Pittsburgh Medical (UPMC) that exposed personal information of nearly 62,000 employees.

The high court will decide whether UPMC has a legal responsibility to safeguard the personal information of its employees when those employees choose to store that information on a network-enabled computer and whether employees are allowed to seek monetary damages following a breach, according to an order (PDF) posted by the court last week.

The controversial case has snaked its way through the state court system after employees sued the health system for negligence and breach of contract. An initial 2015 judgment by a Pennsylvania Common Pleas Court ruled that UPMC was not responsible for keeping their information safe.

The Superior Court of Pennsylvania upheld (PDF) that decision in January, noting that employees gave up their information for employment purposes with no implied agreement that the health system would keep that information safe.

RELATED: Appellate court ruling sets the stage for CareFirst to take its data breach case to the Supreme Court

The state Supreme Court’s order comes as an insurer in another data breach class action lawsuit is seeking legal clarification from the U.S. Supreme Court. CareFirst is in the process filing an appeal with the high court to determine whether the prospect of future harm associated with a data breach is enough to warrant legal action. Alan Butler, senior counsel at the Electronic Privacy Information Center in Washington D.C., told FierceHealthcare that if the Supreme Court agrees to take the case, it would be "one of the most important cybersecurity cases ever heard in the Court.”

Amid mounting cyber threats, providers and insurers are finding that data breaches carry significant legal costs. Earlier this year, Anthem agreed to pay $115 million to settle a class action lawsuit following a 2015 data breach that comprised information for nearly 80 million members.

Suggested Articles

Payers and providers have made significant investments in digitizing the healthcare system but have yet to see a return on that investment.

The Trump administration is appealing a judge’s decision to block its plan to force drug companies to include list prices in television advertisements. 

Fewer than 4 in 10 health systems can successfully share data with other health systems, which presents a number of challenges.