Breach, Data Security, Data Security

Pittsburgh medical center to pay $2.65M in settlement for 2014 data breach

UPMC Mercy Hospital viewed from across the Monongahela River. (Cbaile19)

The University of Pittsburgh Medical Center has agreed to a $2.65 million settlement with the 66,000 employees impacted by the theft of data from its human resource database in 2014. The stolen personally identifiable information was allegedly sold on the dark web and later used to file $2 million in fraudulent tax returns.

The lawsuit was first filed by the impacted employees in 2014, soon after UPMC notified the employees that hackers had stolen troves of their personal information from UPMC, including Social Security numbers, tax information, and bank account numbers from the impacted server.

The June 2020 indictment of Justin Sean Johnson by a grand federal jury for the Western District of Pennsylvania shed further details into the incident. Johnson purportedly cracked into the UPMC server, stole the employee data, and sold it to a number of cybercriminals on the dark web. Those individuals then filed tax returns using the stolen data.

Evidence provided in the lawsuit showed that UPMC promptly launched an assessment of its systems and protocols after finding the system intrusion. The investigation revealed “numerous modifications and enhancements were implemented to the affected system and infrastructure security.”

UPMC remediated these issues and implemented updated policies to address the deficiencies, while attempting to address the concerns of employees in the wake of the incident. However, the affected employees sued UPMC for alleged negligence and breach of contract soon after the breach notice. 

In 2015, the case was dismissed by the Pennsylvania Common Pleas Court, which ruled UPMC was not responsible for the incident. The impacted employees continued to appeal their case, and in 2018 The Pennsylvania Supreme Court overturned the 2015 decision, finding UPMC was indeed responsible for keeping its employee data protected.

At the time, the court warned that UPMC may also be responsible for providing the breach victims with monetary damages. The parties met in June 2020 during a mediation conference with independent counsel. Although a compromise was not met during the initial meeting, the parties continued to negotiate until August of that same year when an agreement was reached.

The newly announced settlement will require UPMC to pay the impacted employees up to $2.65 million, which includes a payment of $1.68 million to establish a settlement fund for direct monetary relief for the breach victims and a portion of the administration costs, in excess of $200,000.

The settlement also includes a payment of up to $200,000 to a settlement administrator for the actual costs of “notice and settlement administration,” as well as up to $21,000 in service awards, or up to $3,000 for each named plaintiff as approved by the court.

The costs also include up to $750,000 for the victims’ attorney fees and costs, which also must be approved. The impacted employees may submit claims for up to $5,000 for reimbursement of out-of-pocket fraud losses, or up to $250 to reimburse “fraud related inconveniences.”

Individuals who don’t submit claims “will receive equal distributions of all remaining funds after approved claims and the portion of any administration costs in excess of $200,000 are paid from the settlement fund,” expected to total at least $10 to $20 per member, according to the lawsuit.

UPMC is seeking approval of the settlement to end the seven-year litigation and secure monetary recovery for the impacted employees. The health system leaders continue to deny any wrongdoing, and the lawsuit is in no means to be seen as an admission, according to the filing. The settlement now awaits final approval from the court later this year.

“The court finds that the proposed settlement includes sufficient monetary consideration to provide all [individuals] with a financial recovery and… creates an equitable claims process that will allow [individuals] an opportunity to obtain additional reimbursement for certain types of harm they may have suffered as a result of [the incident],” according to the lawsuit.

The court also found the proposed settlement is “within the range of reasonableness and an adequate exchange” to end the litigation.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.