Pennsylvania Supreme Court says UPMC must safeguard employee data

Net neutrality rules
UPMC could be on the hook for damages if employees can prove the system was negligent in protecting data. (iStock/Michał Chodyra)

The University of Pittsburgh Medical Center (UPMC) must protect the personal information of its employees from hackers, Pennsylvania’s highest court ruled last week.

The decision bolsters a long-running class-action lawsuit filed by UPMC employees following a 2014 data breach that exposed the information of nearly 62,000 employees. The Pennsylvania Supreme Court also ruled that UPMC may be on the hook for monetary damaged if the plaintiffs can prove the health system acted negligently.

“Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach,” the high court ruled (PDF). “Thus, we agree with Employees that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.” 

Free Daily Newsletter

Like this story? Subscribe to FierceHealthcare!

The healthcare sector remains in flux as policy, regulation, technology and trends shape the market. FierceHealthcare subscribers rely on our suite of newsletters as their must-read source for the latest news, analysis and data impacting their world. Sign up today to get healthcare news and updates delivered to your inbox and read on the go.

The 2014 breach did not implicate patient data.

The case has snaked its way through the state court system over that last four years, raising questions about the liability the health system faces for a data breach involving employee information. A complaint filed by employees in 2014 alleged UPMC failed to implement adequate security measures to safeguard employee information, and that some employees incurred damages associated with fraudulently filed tax returns.

RELATED: Pennsylvania Supreme Court to hear UPMC data breach case involving employee information

But two lower courts ruled that UPMC was not responsible for keeping the information safe since employees gave their information voluntarily, and there was no implied agreement to safeguard their information.

The state Supreme Court vacated the superior court’s ruling, reversed the trial court’s decision and remanded the case back to the lower court.

Suggested Articles

Civica Rx, the non-profit drug company formed by a collection of hospitals to help control generic drug supplies and prices, is putting down roots.

Two senators introduced this week bipartisan legislation to establish a third-party oversight committee to help monitor the implementation of the new EHR…

ONC is moving another step closer to implementing a framework designed to improve data sharing between health information networks.