Overturning two lower courts' rulings, the Pennsylvania Supreme Court reinstated a lawsuit several employees brought against two University of Pittsburgh Medical Centers, claiming negligence in connection with a 2014 data breach, Business Insurance reports.
Employees of UPMC and UPMC McKeesport filed a lawsuit in 2014 alleging negligence and a breach of an implied contract claim after a data breach exposed personal and financial information, including names, birth dates, Social Security numbers, addresses, tax forms and bank account information. The information of roughly 62,000 employees and former employees was accessed and stolen.
The two lower courts ruled UPMC was not responsible for securing its employees' data, since they submitted that information voluntarily.
Overturning those rulings, the six state Supreme Court judges unanimously agreed UPMC is responsible for protecting its employees' data.
"Employees have sufficiently alleged that UPMC's affirmative conduct created the risk of a data breach," the ruling stated, according to Business Insurance. "Thus, we agree with Employees that, in collecting and storing Employees' data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act."
UPMC may also owe employees monetary damages if the employees can show UPMC was negligent. The case was remanded for further proceedings.