Pennsylvania Supreme Court to hear UPMC data breach case involving employee information

justice scales and gavel
The Pennsylvania Supreme Court will weigh in on a data breach case, adding to a growing portfolio of legal decisions. (Credit: Getty/BrianAJackson)

The Pennsylvania Supreme Court has agreed to hear a case stemming from a 2014 data breach at the University of Pittsburgh Medical (UPMC) that exposed personal information of nearly 62,000 employees.

The high court will decide whether UPMC has a legal responsibility to safeguard the personal information of its employees when those employees choose to store that information on a network-enabled computer and whether employees are allowed to seek monetary damages following a breach, according to an order (PDF) posted by the court last week.

The controversial case has snaked its way through the state court system after employees sued the health system for negligence and breach of contract. An initial 2015 judgment by a Pennsylvania Common Pleas Court ruled that UPMC was not responsible for keeping their information safe.

The Superior Court of Pennsylvania upheld (PDF) that decision in January, noting that employees gave up their information for employment purposes with no implied agreement that the health system would keep that information safe.

RELATED: Appellate court ruling sets the stage for CareFirst to take its data breach case to the Supreme Court

The state Supreme Court’s order comes as an insurer in another data breach class action lawsuit is seeking legal clarification from the U.S. Supreme Court. CareFirst is in the process filing an appeal with the high court to determine whether the prospect of future harm associated with a data breach is enough to warrant legal action. Alan Butler, senior counsel at the Electronic Privacy Information Center in Washington D.C., told FierceHealthcare that if the Supreme Court agrees to take the case, it would be "one of the most important cybersecurity cases ever heard in the Court.”

Amid mounting cyber threats, providers and insurers are finding that data breaches carry significant legal costs. Earlier this year, Anthem agreed to pay $115 million to settle a class action lawsuit following a 2015 data breach that comprised information for nearly 80 million members.

Suggested Articles

Ochsner Health System is partnering with Color to launch a population health pilot program to integrate genetic information into preventive care.

Nominations are open for our 2020 FierceHealthcare Fierce 15 awards. Think your company has what it takes? Submit your nominations here.

Health IT company Cerner announced a definitive agreement to acquire IT consulting and engineering firm AbleVets as a wholly owned subsidiary.