UPMC Pays $2.65 Million to Settle Employee Data Breach Lawsuit

UPMC has suggested a $2.65 million settlement to close a data breach case filed by workers affected by a data breach in February 2014.

UPMC based in Pittsburg, PA submitted a report about the data breach in February 2021 and initially thought the attackers had just taken the tax-data of several hundred of its staff; but, in April 2014, UPMC stated that the breach was much more extensive and impacted 27,000 of its 66,000 workers. In May 2014, UPMC reported that the personal data of all of its workers had probably been breached.

The information impacted in the attack included names and Social Security numbers, a few of which were utilized by the attackers to turn in fake tax returns. Four people behind the cyberattack were charged and pleaded guilty to identity theft charges and tax fraud. They made an effort to get around $2.2 million in tax refunds and obtained $1.7 million from the IRS.

According to the conditions of the settlement, current and former staff whose personal details were compromised in the data breach can file claims for fraud-associated losses and claim reimbursement for time expended to prevent losses. The 66,000 class members could claim up to $250 as repayment for fraud-associated inconveniences or file a claim for around $5,000 as a refund for out-of-pocket losses connected to identity theft or fraud. Any class member who doesn’t submit a claim will get a payment of between $10 and $20. UPMC will set up a $1.68 million settlement funding and is going to pay approximately $200,000 to a settlement administrator. UPMC will additionally cover court fees and attorneys’ fees.

The settlement additionally requires UPMC to follow a number of cybersecurity steps to improve security and make sure the personal data of employees is secured. Those steps include going through a third-party security evaluation, having more cybersecurity experts to its security team, enhancing authentication procedures, escalating the use of encryption, making sure of compliance with cybersecurity guidelines, deactivating all unnecessary and unused services, and updating its system security programs. The settlement does not call for UPMC to employ additional cybersecurity actions that have not currently been taken in response to the breach.

UPMC has not confessed to liability for the breach. The choice to settle the lawsuit was made to avoid more expenditure, inconvenience, and the distraction of troublesome and protracted litigation. A motion for preliminary approval of the negotiation was submitted on July 15.

It has taken quite a while to reach a settlement. In 2015, a trial court terminated the plaintiffs’ negligence claim; nevertheless, the Pennsylvania Supreme Court reversed that decision in November 2018 when the court announced that employers have a Common Law duty to employ reasonable safety measures to secure the personal data of employees.

The plaintiffs’ attorney, Jamisen Etzel said, it’s good to be able to negotiate a proposed settlement with UPMC that will offer meaningful relief to individuals who suffered financial losses, greater risks of fraud, and other inconveniences when their information was exposed.