UPMC to Settle Breach Lawsuit for $2.7 Million2014 Hacking Incident Affected 66,000 Employees
A proposed $2.7 million settlement has been reached in a lawsuit filed against the University of Pittsburgh Medical Center in the wake of a 2014 data breach that exposed tens of thousands of employees' personal information.
Under the preliminary settlement of the 2014 civil class action lawsuit, which awaits approval by a Pennsylvania court, UPMC agreed to provide total benefits worth up to $2.7 million to a class of approximately 66,000 employees.
The settlement includes $1.7 million to establish a settlement fund for direct monetary relief to settlement class members, up to $200,000 for administrative costs and $750,000 for plaintiffs' attorneys.
Under the agreement, settlement class members may submit claims for up to $5,000 as payment for unreimbursed, out-of-pocket fraud-related losses or up to $250 for fraud-related inconveniences.
Settlement class members who do not submit claims will receive distributions of about $10 to $20 each.
"We are pleased that we’ve been able to negotiate a proposed resolution with UPMC that will provide meaningful relief to those who suffered financial losses, increased risks of fraud and other inconveniences when their data was compromised," say the plaintiffs' attorney, Jamisen Etzel.
"Although it took a long time to get here, the case will be significant for years to come thanks to the Pennsylvania Supreme Court’s landmark opinion in 2018, which recognized that entities engaged in collecting and storing sensitive information have a duty to handle that data with reasonable care."
In November 2018, the Supreme Court of Pennsylvania reversed a trial court’s 2015 dismissal of the employees’ negligence claim in the data breach case.
"In the case brought against UPMC, the Pennsylvania Supreme Court declared that employers have a Common Law duty to use reasonable information security safeguards to protect personal information collected from employees," says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
Court documents note that as part of the settlement agreement, UPMC denies any wrongdoing whatsoever. UPMC also did not immediately respond to Information Security Media Group's request for comment on the proposed settlement.
As part of the settlement, UPMC implemented certain cybersecurity improvements, including:
- Engaging a third-party cybersecurity firm to assess UPMC’s data security practices and recommend potential improvements;
- Working with a third-party vendor to complete an architectural assessment of various security configurations;
- Hiring additional cybersecurity professionals to UPMC’s security team;
- Requiring greater authentication measures before authorizing applications;
- Increasing encryption efforts over sensitive data;
- Amending all privileged user and administrative accounts across UPMC applications;
- Reviewing data access privileges to ensure compliance with best practices;
- Revising policies and procedures to address data security;
- Disabling unused and unnecessary services; and
- Updating system security plans.
UPMC also agreed that it "will maintain any cybersecurity improvements to the extent they remain feasible and in the best interests of UPMC," court documents note. But the settlement "in no way obligates UPMC to commit to additional cybersecurity measures which have not already been undertaken in response to the data breach."
The UPMC employee data breach has also resulted in several separate federal criminal prosecutions.
In May, a Detroit man, Justin Sean Johnson, was the fourth individual to plead guilty in connection with the hacking of UPMC human resources and stealing the personally identifiable information of more than 65,000 UPMC employees, some of which was used to commit federal income tax fraud (see: Fourth Guilty Plea in UPMC Hacking Incident).
The criminal cases involving the UPMC data breach likely helped the plaintiffs' settlement negotiations, says technology attorney Steven Teppler of the law firm Mandelbaum Salsburg P.C., who was not involved in the UPMC case.
"Having a confession/guilty plea from a threat actor or wrongdoer in light of consequences directly attributable to his or her criminal acts provides strong evidence how … the security controls of a system were circumvented," he says.
Hacked HR Databases
Federal court documents in the criminal case against Johnson say he hacked into the UPMC human resources server databases in 2013 and 2014, stealing sensitive PII and W-2 federal income tax documents for tens of thousands of UPMC employees.
"The information was sold by Johnson on dark web forums for use by conspirators, who promptly filed hundreds of false 1040 tax returns in 2014 using UPMC employee PII," prosecutors said in the court filings.
These fraudulent 1040 filings resulted in tax refunds, which conspirators converted into Amazon.com gift cards they used to purchase merchandise shipped to Venezuela, prosecutors said.
The criminals filed fraudulent tax returns seeking approximately $2.2 million in refunds; about $1.7 million was actually disbursed, prosecutors said.
Evidence of Harm
Although the plaintiffs' attorney, Etzel, declined to comment specifically on the settlement negotiations with UPMC, he noted: "It was already known at the time we started the litigation that the stolen data was being used to file hundreds of false tax returns. So it was always clear to us that this case involved real harm."
Healthcare organizations defending against class action data breach litigation often find settlements attractive because of the substantial cost and business disruption from mounting a legal defense - as well as the uncertainty and risk posed by a judgement that they are at fault, Holtzman says.