The University of Pittsburgh Medical Center (UPMC) must protect the personal information of its employees from hackers, Pennsylvania’s highest court ruled last week.
The decision bolsters a long-running class-action lawsuit filed by UPMC employees following a 2014 data breach that exposed the information of nearly 62,000 employees. The Pennsylvania Supreme Court also ruled that UPMC may be on the hook for monetary damaged if the plaintiffs can prove the health system acted negligently.
“Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach,” the high court ruled (PDF). “Thus, we agree with Employees that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.”
The 2014 breach did not implicate patient data.
The case has snaked its way through the state court system over that last four years, raising questions about the liability the health system faces for a data breach involving employee information. A complaint filed by employees in 2014 alleged UPMC failed to implement adequate security measures to safeguard employee information, and that some employees incurred damages associated with fraudulently filed tax returns.
But two lower courts ruled that UPMC was not responsible for keeping the information safe since employees gave their information voluntarily, and there was no implied agreement to safeguard their information.
The state Supreme Court vacated the superior court’s ruling, reversed the trial court’s decision and remanded the case back to the lower court.