A Pennsylvania judge has dismissed a UPMC data breach lawsuit which was filed following the 27,000-record data breach at the University of Pennsylvania Medical Center, even though more than 788 patients suffered financial losses as a result of the exposure of their Protected Health Information (PHI).
Plaintiffs in the data breach class-action lawsuit allege that their PHI had been exposed as a result of UPMC failing to apply the necessary protections to safeguard their data. As a result of the exposure, not only have the breach victims been placed at a higher risk of suffering identity theft and tax fraud, many have already become victims.
Class-action lawsuits are almost guaranteed after any healthcare data breach. This data breach did not expose healthcare data, but patients did suffer harm. Many lawsuits fail due to a lack of evidence of harm suffered after a breach. In order for a healthcare data breach lawsuit to be successful, there must be some evidence that the plaintiffs have suffered actual harm, damage or losses as a result of their PHI being exposed or stolen. However there must also be evidence of negligence.
In this case, the judge tossed the lawsuit due to there being insufficient evidence to support the case on the grounds of negligence. The evidence suggested that even if UPMC had improved its cybersecurity defenses by using a safer medium for storing PHI, it is unlikely that the breach would have been prevented.
A breach was suffered, patients suffered losses, but since the data breach could not realistically have been prevented, there could be no liability. This proved to be the case in the UPMC data breach.
UPMC Data Breach Lawsuit Tossed as UPMC not Negligent
The UPMC data breach lawsuit was heard by Common Pleas Judge R. Stanton Wettick who also stated that UPMC was also a victim. He also said that prior to the data breach occurring, there was no “meeting of the minds” in which liability for data breaches was discussed.
The UPMC data breach was not suffered by UPMC directly; the data breach affected a Business Associate (BA) of the healthcare provider. Cases have been successfully filed against BAs for data breaches, and class-action lawsuits have previously been successful.
In 2010, Stanford Hospital & Clinics and one of its Business Associates had to pay out a large settlement to resolve a class-action data breach lawsuit filed after a breach of 20,000 records. The data was posed on a third party website which lacked the necessary protections to keep the data secure.
That lawsuit was filed for a breach of the California Confidentiality of Medical Information Act (CMIA). In that case, the healthcare provider and its Business Associate could have and should have taken actions to prevent the breach, and they for forced to pay $4 million to settle the class action lawsuit.