UPMC Pays $2.65 Million to Resolve Employee Data Breach Lawsuit

UPMC has offered a $2.65 million payout to take care of a data breach legal action filed by workers affected by a data breach in February 2014.

UPMC in Pittsburg, PA reported the data breach in February 2021 and at first assumed the attackers had merely acquired the tax details of a couple of hundred of its staff; then again, in April 2014, UPMC confirmed that the breach was a lot more extensive and impacted 27,000 out of 66,000 employees. In May 2014, UPMC affirmed that the personal data of all of its workers had possibly been exposed.

The information affected in the attack included names and Social Security numbers, a number of which were employed by the threat actors to submit bogus tax returns. Four persons associated with the cyberattack were indicted and confessed to tax fraud and identity theft charges. They tried to acquire about $2.2 million in tax reimbursements and acquired $1.7 million from the IRS.

As per the provisions of the arrangement, present and previous staff whose personal data were compromised in the data breach can file claims for fraud-associated losses and claim a refund for time consumed to avoid losses. The 66,000 class members could claim as much as $250 as a refund for fraud-linked inconveniences or send a claim for approximately $5,000 as repayment for out-of-pocket losses connected to fraud or identity theft. Any class member who will not submit a claim will be given a payment of $10 to $20. UPMC will create a $1.68 million settlement account and is going to pay around $200,000 to a settlement manager. UPMC will likewise pay for court charges and attorneys’ fees.

The settlement furthermore requires UPMC to employ a selection of cybersecurity procedures to enhance security and make certain the personal data of employees are safeguarded. Those steps include having a third-party security analysis, getting extra cybersecurity specialists to its security team, bettering authentication steps, maximizing the usage of encryption, making certain of compliance with cybersecurity recommendations, turning off all needless and unused services, and updating its network security strategies. The settlement doesn’t necessitate UPMC to use additional cybersecurity actions that have not previously been undertaken in reaction to the breach.

UPMC hasn’t accepted legal responsibility for the breach. The option to resolve the legal action was made to avert more charges, inconvenience, and the distraction of problematic and protracted lawsuits. A motion for initial acceptance of the settlement deal was sent in on July 15.

It has taken quite some time to reach a settlement. In 2015, a trial court sacked the plaintiffs’ negligence claim; nonetheless, the Pennsylvania Supreme Court changed that judgment in November 2018 when the court proclaimed that company owners have a Common Law duty to carry out reasonable steps to safeguard the personal details of employees.

The plaintiffs’ lawyer, Jamisen Etzel stated, it’s great to be able to discuss a proposed agreement with UPMC that will give purposeful relief to those people who experienced financial losses, higher threats of fraud, and other inconveniences when their information was exposed.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone