Presented by the Health Law Practice Group

Legal Updates for Health Law

Edited by Mary Kate McGrath, Esq.

Allegheny Court Refuses to Recognize Negligence Claim for Data Breach

Dittman v. UPMC, C.C.P. Allegheny No. GD-14-003285

On May 28, 2015, the Honorable Stanton Wettick sustained preliminary objections in Dittman v. UPMC, dismissing all counts in a class action matter brought on behalf of 62,000 employees of the University of Pittsburgh Medical Center (UPMC). The plaintiffs alleged that UPMC failed to enact appropriate cyber security mechanisms, which caused a data breach when hackers infiltrated UPMC’s system and obtained the employees’ personal information, including their  names, addresses, social security numbers, banking information and tax information. Judge Wettick also sustained the defendant’s preliminary objections and dismissed the plaintiffs’ claims that UPMC breached a contractual obligation to prevent the data breach.

Judge Wettick reasoned that Pennsylvania courts should not recognize a common law negligence claim for failure to prevent unauthorized access of computerized information because the Pennsylvania General Assembly ostensibly considered this issue when promulgating the Data Breach Act (73 P.S. Sec. 2301, et. seq. (effective June 20, 2006)). The court recognized that the Pennsylvania General Assembly declined to statutorily create both a duty to safeguard computerized information as well as a private cause of action in the event of a data breach caused by the unauthorized access of computerized information.

According to Judge Wettick, the plaintiffs’ claims failed to meet a prima facie negligence claim under the economic loss doctrine because no cause of action exists for negligence that results solely in economic losses unaccompanied by physical injury or property damage. Excavation Technologies, Inc. v. Columbia Gas Co. of Pa., 985 A.2d 840, 841 (Pa. 2009). Even if the economic loss doctrine did not preclude a negligence claim in Dittman, Judge Wettick determined that the analysis created by the Pennsylvania Supreme Court under Seebold/Althaus did not warrant the creation at common law of an affirmative duty that would permit recovery in data breach actions. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa. 2012). The court pointed out that cyber security attacks are conducted by sophisticated third-party criminals and there is not a safe harbor for entities storing confidential information. The court maintained that the judicial system would be overwhelmed by the hundreds of thousands of potential litigants in data breach claims. The court also determined that a duty could not be appropriately established under a negligence theory because no generally accepted reasonable care standards have been created by experts.

The court determined that both private and non-profit employers would not be able to afford the costs associated with data breach lawsuits caused by unauthorized access of computerized information. Singling out health care providers, the Dittman court held:

I cannot say with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liability on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business.

Judge Wettick determined that the plaintiffs’ complaint failed to plead with legal sufficiency that the utilization of a superior cyber security protection mechanism would have prevented the data breach at issue. The court concluded its opinion with the determination that there was no contract, whether express or implied, between UPMC and its employees establishing that UPMC agreed to allow its employees to sue the health care system for damages allegedly sustained as a result of a data breach.

The material in this law alert has been prepared for our readers by Marshall Dennehey Warner Coleman & Goggin. It is solely intended to provide information on recent legal developments, and is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. We welcome the opportunity to provide such legal assistance as you require on this and other subjects.

ATTORNEY ADVERTISING pursuant to New York RPC 7.1           
 © 2015 Marshall Dennehey Warner Coleman & Goggin. All Rights Reserved.