Legal consequences abound at every corner in healthcare. Each month this blog discusses examples of what those consequences can be.
Welcome to the first Legal e-Speaking post of 2019! Let’s start the year out with a review of the Dittman v. UPMC (Dittman) decision that addressed the question of “whether an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information that the employer stores on an internet-accessible system.” The decision was made by the Pennsylvania Supreme Court on November 21, 2018.
Dittman may be of interest for several reasons. First, the employer is a healthcare provider. Second, it does not involve patients’ rights under HIPAA. Dittman is a classic example of how the common law (judge-made law) can be used to establish rights and remedies to economic injuries allegedly caused by new technologies.
The named plaintiffs in Dittman are current or former employees of the defendant. They filed a class action complaint in which they alleged that:
“a data breach had occurred through which the personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 UPMC employees and former employees was accessed and stolen from UPMC’s computer systems.”
The named plaintiffs also alleged that “the stolen data, which consisted of information UPMC required Employees to provide as a condition of their employment, was used to file fraudulent tax returns on behalf of the victimized Employees, resulting in actual damages.” They asserted claims sounding in negligence and breach of contract against the defendant. In this post, I want to take a look at how the negligence claim fared.
A trial court dismissed the negligence claim. That court held that the interests of society would not be furthered by recognizing a negligence claim under the circumstances. On appeal, the Pennsylvania Superior Court affirmed the trial court. To make a long decision short, the Pennsylvania Supreme Court disagreed with the lower courts:
“Employees have alleged and…we currently must accept as true that, as a condition of employment, UPMC required them to provide certain personal and financial information, which UPMC collected and stored on its internet-accessible computer system without use of adequate security measures, including proper encryption, adequate firewalls, and an adequate authentication protocol. These factual assertions plainly constitute affirmative conduct on the part of UPMC. Additionally, while UPMC is correct that, generally, ‘there is no duty to protect or rescue someone who is at risk on account of circumstances the defendant had no role in creating,’ *** Employees have sufficiently alleged that UPMC’s affirmative conduct created the risk of a data breach. Thus, we agree with Employees that, in collecting and storing Employees’ data on its computer systems, UPMC owed Employees a duty to exercise reasonable care to protect them against an unreasonable risk of harm arising out of that act.
Again, Employees allege that UPMC, their employer, undertook the collection and storage of their requested sensitive personal data without implementing adequate security measures to protect against data breaches, including encrypting data properly, establishing adequate firewalls, and implementing adequate authentication protocol. The alleged conditions surrounding UPMC’s data collection and storage are such that a cybercriminal might take advantage of the vulnerabilities in UPMC’s computer system and steal Employees’ information; thus, the data breach was ‘within the scope of the risk created by’ UPMC….Therefore, the criminal acts of third parties in executing the data breach do not alleviate UPMC of its duty to protect Employees’ personal and financial information from that breach.”
The Supreme Court then went on to address—and reject—a second argument advanced by the defendant and remanded the action to the trial court “for further proceedings consistent with this opinion.”
Bear in mind that what the Pennsylvania Supreme Court did was based on the allegations of a pleading filed by the named plaintiffs. Presumably, the parties will now engage in discovery to test the truth of those allegations and whatever responding allegations are made by the defendant when it answers the initial pleading. That aside, we have a State court of last resort deciding that employers have a duty to take reasonable care to avoid creating the risk of a data breach when it collects and stores employee data on its computer system. That duty speaks to the need for healthcare providers to devote sufficient resources to collect and store that data or to exercise due diligence in having that collection and storage done by business associates. Dittman may be a harbinger of litigation to come.
**Editor’s Note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as legal advice.