• E-mail
• Print
• RSS

Judge dismisses class-action suit against university hospital over data breach

HIM-HIPAA Insider, June 8, 2015

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

A Pennsylvania county judge has dismissed a class-action lawsuit that was brought against the University of Pittsburgh Medical Center (UPMC) last year over a data breach that potentially affected all 62,000 employees in the hospital system.

Judge R. Stanton Wettick sided with UPMC, ruling it was also a victim of the attack and heightened cybersecurity measures may not have prevented the breach, TribLive reports. Wettick further said there was no agreement stating UPMC would be held liable for security breaches.

Typically, when you think about healthcare breaches you think about employee snooping or hackers exposing the PHI of patients for medical identity theft. In this case, however, the hackers went straight to the employees to gain financial information. While this breach may not be considered a violation of HIPAA, it highlights weaknesses in UPMC systems.

The Pittsburgh Post-Gazette reported UPMC notified employees of the breach in February 2014 after confirming a payroll database was compromised and 22 people were victims of tax fraud as a result of the theft. The victims reported the theft to UPMC and an investigation was launched with the Internal Revenue Service, Secret Service, and Federal Bureau of Investigation.

A month later, the number of victims increased to 322, and then 788 in April. TribLive reported in June that at least 817 employees across the health system, which includes 22 hospitals, were victims of tax fraud. UPMC had said 27,000 people were possibly affected and then acknowledged in June the breach might extend to every hospital employee.

The payroll system was separate from patient data and fraud detection services were offered to all employees for free with the possibility of extending coverage for five years, a UPMC spokeswoman told TribLive. Social Security numbers, bank account numbers, and other sensitive data were compromised in the breach.

Employees filed the class-action suit in February 2014, which was followed by a second suit that mistakenly implicated a software firm as well and which was quickly dropped.

The claims against UPMC were negligence in its failure to protect employees’ personal and financial data despite federal privacy guidelines for businesses and widespread industry information security standards, and breach of an implied contract with employees to protect that data.

This article appeared on HCPro’s HIPAA Update blog. Stay up to date on all things HIPAA by signing up for e-mail updates from this blog.

Want to receive articles like this one in your inbox? Subscribe to HIM-HIPAA Insider!

• E-mail to a Colleague
• Print
• RSS
• Archive