Pennsylvania Supreme Court says UPMC must safeguard employee data

Net neutrality rules
UPMC could be on the hook for damages if employees can prove the system was negligent in protecting data. (iStock/Michał Chodyra)

The University of Pittsburgh Medical Center (UPMC) must protect the personal information of its employees from hackers, Pennsylvania’s highest court ruled last week.

The decision bolsters a long-running class-action lawsuit filed by UPMC employees following a 2014 data breach that exposed the information of nearly 62,000 employees. The Pennsylvania Supreme Court also ruled that UPMC may be on the hook for monetary damaged if the plaintiffs can prove the health system acted negligently.

“Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach,” the high court ruled (PDF). “Thus, we agree with Employees that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” 

Product Spotlight

Top-Rated Mobile App for Health Insurance Members

Zipari’s Mobile App is the smarter, easier, and better way for payers to engage members on the go and directly in the palm of their hands. Members can find the right doctors, receive notifications, send messages, view claims, track spending, talk to a nurse, download ID card, and more. It’s ready to install and launch in a few months.

The 2014 breach did not implicate patient data.

The case has snaked its way through the state court system over that last four years, raising questions about the liability the health system faces for a data breach involving employee information. A complaint filed by employees in 2014 alleged UPMC failed to implement adequate security measures to safeguard employee information, and that some employees incurred damages associated with fraudulently filed tax returns.

RELATED: Pennsylvania Supreme Court to hear UPMC data breach case involving employee information

But two lower courts ruled that UPMC was not responsible for keeping the information safe since employees gave their information voluntarily, and there was no implied agreement to safeguard their information.

The state Supreme Court vacated the superior court’s ruling, reversed the trial court’s decision and remanded the case back to the lower court.

Suggested Articles

Telehealth giant Teladoc is acquiring virtual care company Livongo in a deal valued at $18.5 billion.

Historically, very few groups outside of health care have had reason to collect information about personal health but the coronavirus changed that.

Hospital system second-quarter earnings illustrated just how pivotal a $175 billion provider relief fund was to offsetting major COVID-19 loss.