Recent Data Breach of Hospital Employees Sparks Lawsuit

By Karen Painter Randall

A University of Pittsburgh Medical Center (“UPMC”) employee filed a lawsuit in U.S. District Court for the Western District of Pennsylvania against her employer and Ultimate Software Group, Inc. in the wake of a data breach that saw hackers use the personal information of UPMC employees to file fraudulent federal income tax returns. 

The hospital confirmed that the data breach may have compromised the personal information of 27,000 of its 62,000 employees, including nearly 800 who had a fraudulent tax return filed using their personal information.  Of note, the lawsuit is unusual in that the plaintiff is not seeking monetary damages, but rather that UPMC implement stronger identify theft protection in the future.  Specifically, the lawsuit, which is seeking class action status, requests that defendants pay for 25 years of credit and bank monitoring, identity theft insurance, and services to help affected employees restore their good credit.

This lawsuit is distinct in that rather than seeking monetary damages for an alleged data breach, the plaintiff is merely seeking a more effective means of identity theft protection in the future.  Companies who maintain personal information for their employees must take reasonable safeguards to protect this information from being leaked into the public.  While implementing these safeguards may be an additional expense for a company, the long term cost certainly does not outweigh the potential for damages, as well as claims from the government charged with protecting the public from practices that are asserted to have imperiled customers.