The Pennsylvania Supreme Court Revives Lawsuit Filed by UPMC Employees Affected by a Data Breach


Photo courtesy of Pixabay.

By: Stephen Hodzic, Staff Writer


While many businesses are aware of the concept of cybersecurity, it is unclear how many businesses take active steps to protect not only their proprietary data, but also personal employee data. Several large profile cyberattacks have taken place in recent years. The United States Office of Personnel Management (OPM) discovered malware on its network in 2015, and later found that the malware may have been in place for almost a year before being discovered.[1] The attackers may have had access to archives that included 18 million copies of employee responses on a questionnaire for federal security clearances, complete personnel files of 4.2 million employees, and 5.6 million images of the fingerprints of government employees.[2] In 2017, the credit reporting agency Equifax discovered that they were victims of a cyberattack.[3] It was estimated that approximately 143 million accounts were affected.[4] Some of the information contained in the accounts included driver’s license numbers, social security numbers, dates of birth, and home addresses. [5][6]

With the examples given above, a business would be hard pressed to state that they have not heard of the term “cybersecurity.” If awareness of the risk of a cyber-attack is so high, and the damage can be so severe, should companies be held liable for failing to protect sensitive information from such attacks? Recently, the Pennsylvania Supreme Court addressed this issue in Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).[7]

In Dittman, a group of UPMC employees filed a class action lawsuit against UPMC after a data breach occurred in which 62,000 UPMC current and former employees had information exposed.[8] The information included birth dates, names, social security numbers, and bank account information; all of which UPMC required employees to provide as a condition of their employment.[9] The information was apparently used to file fraudulent tax returns, which resulted in actual damages.[10] In their complaint, the employees asserted a negligence claim and breach of implied contract claim against UPMC.[11]

The employees alleged that UPMC had a duty to exercise reasonable care to protect their personal information, especially given that UPMC required the information as a condition of employment.[12] Additionally, plaintiffs averred that UPMC had violated their own administrative guidelines, and failed to meet general industry standards with data security.[13] UPMC filed preliminary objections to the employees’ complaint, contending that, under the economic loss doctrine, the negligence claim should fail as a matter of law, as employees suffered neither physical nor property damage and thus no cause of action could exist.[14]

The trial court sustained UPMC’s preliminary objections and dismissed the employees negligence claim.[15] It held that, under the economic loss doctrine, the employees’ negligence claim is barred because “the only losses Employees sustained were economic in nature.”[16] The employees appealed to the Superior Court.[17] On appeal, the employees “argued that the trial court erred in finding that UPMC did not owe a duty of reasonable care in its collection and storage of Employee’ information, and that the economic loss doctrine barred their claim.”[18] In a split decision, the Superior Court affirmed the order of the trial court sustaining UPMC’s preliminary objections.[19] The employees then filed a petition for allowance of appeal. The Pennsylvania Supreme Court subsequently granted review.

The Pennsylvania Supreme Court vacated the judgment of the Superior Court and reversed the order of the trial court.[20] It held that UPMC owed a duty to the employees “to use reasonable care to safeguard their sensitive person data in collecting and storing it on an internet-accessible computer system.”[21] It also determined that, under Pennsylvania’s economic loss doctrine, “recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to a contract.”[22]

While the number of data breaches continue to rise, the Dittman holding may provide an increasing number of cyberattack victims a much-needed remedy. In addition, exposing employers to liability for data breaches provides an incentive for companies to increase their data security policies.






[2] Id.



[5] Id.


[7] Dittman v. UPMC, 196 A.3d 1036 (Pa. 2018).

[8] Id.

[9] Id.

[10] Id.

[11] Id.

[12] Id. at 1038-39.

[13] Id.

[14] Id.

[15][15] Id. at 1040.

[16] Id.

[17] Id. at 1041.

[18] Id.

[19] Id.

[20] Id. at 1056.

[21] Id.

[22] Id. at 1038.

Comments are closed.