Fraud Management & Cybercrime , Governance & Risk Management , Incident & Breach Response

UPMC to Settle Breach Lawsuit for $2.7 Million

2014 Hacking Incident Affected 66,000 Employees
UPMC to Settle Breach Lawsuit for $2.7 Million
One of UPMC's facilities

A proposed $2.7 million settlement has been reached in a lawsuit filed against the University of Pittsburgh Medical Center in the wake of a 2014 data breach that exposed tens of thousands of employees' personal information.

See Also: Healthcare in The Cloud: Detecting and Overcoming Threats to Ensure Continuity & Compliance

Earlier, the incident led to at least four guilty pleas by co-conspirators charged by federal prosecutors with identity theft and tax fraud crimes.

Under the preliminary settlement of the 2014 civil class action lawsuit, which awaits approval by a Pennsylvania court, UPMC agreed to provide total benefits worth up to $2.7 million to a class of approximately 66,000 employees.

Settlement Terms

The settlement includes $1.7 million to establish a settlement fund for direct monetary relief to settlement class members, up to $200,000 for administrative costs and $750,000 for plaintiffs' attorneys.

Under the agreement, settlement class members may submit claims for up to $5,000 as payment for unreimbursed, out-of-pocket fraud-related losses or up to $250 for fraud-related inconveniences.

Settlement class members who do not submit claims will receive distributions of about $10 to $20 each.

"We are pleased that we’ve been able to negotiate a proposed resolution with UPMC that will provide meaningful relief to those who suffered financial losses, increased risks of fraud and other inconveniences when their data was compromised," say the plaintiffs' attorney, Jamisen Etzel.

"Although it took a long time to get here, the case will be significant for years to come thanks to the Pennsylvania Supreme Court’s landmark opinion in 2018, which recognized that entities engaged in collecting and storing sensitive information have a duty to handle that data with reasonable care."

In November 2018, the Supreme Court of Pennsylvania reversed a trial court’s 2015 dismissal of the employees’ negligence claim in the data breach case.

"In the case brought against UPMC, the Pennsylvania Supreme Court declared that employers have a Common Law duty to use reasonable information security safeguards to protect personal information collected from employees," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.

Court documents note that as part of the settlement agreement, UPMC denies any wrongdoing whatsoever. UPMC also did not immediately respond to Information Security Media Group's request for comment on the proposed settlement.

Improved Cybersecurity

As part of the settlement, UPMC implemented certain cybersecurity improvements, including:

  • Engaging a third-party cybersecurity firm to assess UPMC’s data security practices and recommend potential improvements;
  • Working with a third-party vendor to complete an architectural assessment of various security configurations;
  • Hiring additional cybersecurity professionals to UPMC’s security team;
  • Requiring greater authentication measures before authorizing applications;
  • Increasing encryption efforts over sensitive data;
  • Amending all privileged user and administrative accounts across UPMC applications;
  • Reviewing data access privileges to ensure compliance with best practices;
  • Revising policies and procedures to address data security;
  • Disabling unused and unnecessary services; and
  • Updating system security plans.

UPMC also agreed that it "will maintain any cybersecurity improvements to the extent they remain feasible and in the best interests of UPMC," court documents note. But the settlement "in no way obligates UPMC to commit to additional cybersecurity measures which have not already been undertaken in response to the data breach."

Criminal Cases

The UPMC employee data breach has also resulted in several separate federal criminal prosecutions.

In May, a Detroit man, Justin Sean Johnson, was the fourth individual to plead guilty in connection with the hacking of UPMC human resources and stealing the personally identifiable information of more than 65,000 UPMC employees, some of which was used to commit federal income tax fraud (see: Fourth Guilty Plea in UPMC Hacking Incident).

The criminal cases involving the UPMC data breach likely helped the plaintiffs' settlement negotiations, says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., who was not involved in the UPMC case.

"Having a confession/guilty plea from a threat actor or wrongdoer in light of consequences directly attributable to his or her criminal acts provides strong evidence how … the security controls of a system were circumvented," he says.

Hacked HR Databases

Federal court documents in the criminal case against Johnson say he hacked into the UPMC human resources server databases in 2013 and 2014, stealing sensitive PII and W-2 federal income tax documents for tens of thousands of UPMC employees.

"The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false 1040 tax returns in 2014 using UPMC employee PII," prosecutors said in the court filings.

These fraudulent 1040 filings resulted in tax refunds, which conspirators converted into gift cards they used to purchase merchandise shipped to Venezuela, prosecutors said.

The criminals filed fraudulent tax returns seeking approximately $2.2 million in refunds; about $1.7 million was actually disbursed, prosecutors said.

Evidence of Harm

Although the plaintiffs' attorney, Etzel, declined to comment specifically on the settlement negotiations with UPMC, he noted: "It was already known at the time we started the litigation that the stolen data was being used to file hundreds of false tax returns. So it was always clear to us that this case involved real harm."

Healthcare organizations defending against class action data breach litigation often find settlements attractive because of the substantial cost and business disruption from mounting a legal defense - as well as the uncertainty and risk posed by a judgement that they are at fault, Holtzman says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.