What Might be the Liability of a Hospital for a Data Breach?

Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.

I wrote last month about a case in which an Illinois court held that a hospital might be found liable for the wrongful conduct of a third party based on “apparent agency.” I plan to write about a similar decision soon, but will defer doing so and instead report on Dittman v. UPMC d/b/a The University of Pittsburgh Medical Center, 2017 PA Super. 8 (Jan. 12, 2017).

Dittman arose out of a data breach. Personal information of some 62,000 current and former employees was stolen from the defendant medical center’s computer systems and used to file fraudulent tax returns and steal the tax refunds of certain employees. That led to a class action in which the plaintiffs (who commenced the action on behalf of themselves and employees who had been victimized or who might be victimized) alleged that the defendant owed a legal duty to keep their information safe and to “prevent vulnerabilities in its computer system.” A trial court dismissed the action and, on appeal, the plaintiffs presented three arguments. I want to focus on one:

Does an employer have a legal duty to act reasonably in managing its computer systems to safeguard sensitive personal information collected from its employees, when the employer elects, for purposes of its own business efficiencies, to store and manage such sensitive employee data on its internet-accessible computer system, leaving it vulnerable to computer hackers, in the absence of reasonable safeguards?

The Superior Court of Pennsylvania answered “no” to this question. The appellate court looked to a five-factor test to determine whether the defendant owed a “duty of reasonable care in its collection and storage of the employee’s information and data.” Two of the factors were the “social utility of the actor’s conduct” and “the nature of the risk imposed and foreseeability of the harm incurred.” The court held:

While a data breach (and its ensuing harm) is generally foreseeable, we do not believe that this possibility outweighs the social utility of electronically storing employee information. In the modern era, more and more information is stored electronically and the days of keeping documents in file cabinets are long gone. Without doubt, employees and consumers alike derive substantial benefits from efficiencies resulting from the transfer and storage of electronic data. Although breaches of electronically stored data are a potential risk, this generalized risk does not outweigh the social utility of maintaining electronically stored information. We note here that Appellants do not allege that UPMC encountered a specific threat of intrusion into its computer systems. Thus, the second factor of the *** test, when weighed against the third factor, augurs against imposing a duty on UPMC. [footnote omitted].

For this and other reasons, the Superior Court affirmed the dismissal. One judge agreed with the dismissal but made this concurring statement:

I also agree under the second factor *** that there is significant social utility in companies like UPMC being able to store information electronically. The entire world is moving towards electronic storage of information. With this will come a greater awareness of what is reasonable in terms of the care and storage of confidential information. At some point, the balance of weighing social utility in favor of data storage entities may shift more in favor of persons like Appellants. When harm becomes foreseeable under circumstances that commonly are understood to render storage vulnerable, the fourth *** factor may weigh in favor of imposing additional duties upon an actor even absent legislative action. As for the fifth and final factor under the *** test (the overall public interest), I believe that this factor too may shift as the foreseeability of harm changes with the evolution and increased use of this technology.

A third judge dissented, stating in part:

Here, the Appellants claimed that UPMC had failed to use reasonable care in the storage of their personal information by, inter alia, properly encrypting the data, establishing adequate firewalls, and implementing an appropriate authentication protocol. Appellants’ assertions, if proven, would establish that UPMC knew or should have realized that inadequate electronic data protections would create a likelihood that its employees’ personal information would be compromised, and that a third party would avail itself of the opportunity to steal this sensitive data. *** Under the circumstances alleged, the criminal acts of third parties do not relieve UPMC of its duty of care in the protection of Appellants sensitive personal data. Thus, I would weigh this factor in favor of imposing a duty of reasonable care upon UPMC.

What conclusions might be drawn from Dittman? First, recognize that Dittman is a decision of an intermediate appellate court within the judicial system of one State. The highest court of Pennsylvania might, if called on to review what the Superior Court did on appeal, take a different view. Second, we are looking at the law of only one State and other State courts might arrive at an answer different from that of Dittman.

Beyond these preliminary words of caution, Dittman recognizes that electronic information is ubiquitous and that everyone derives benefits from the creation and storage of that information. Those benefits might outweigh risks associated with electronic information. Courts will continue to be called upon to weigh benefit versus risk on the basis of the facts presented (and remember that the defendant hospital center in Dittman had been unaware of any specific threat to its computer systems). This puts a premium on the appropriate governance of electronic information (particularly sensitive information such as employee and patient information). Healthcare providers should review.


**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.

Ron Hedges, JD, is a former US Magistrate Judge in the District of New Jersey and is a writer, lecturer, and consultant on topics related to electronic information. He is a Senior Counsel with Dentons US LLC. 

Submit a Comment

Your email address will not be published. Required fields are marked *

Share This

Share This

Share this post with your friends!