Getty Images/iStockphoto

UPMC Reaches $450K Settlement in Healthcare Data Breach Lawsuit

University of Pittsburgh Medical Center (UPMC) and its legal counsel faced a lawsuit over their handling of a 2020 healthcare data breach.

University of Pittsburgh Medical Center (UPMC) and Charles J. Hilton, PC, (CJH) agreed to a $450,000 settlement to resolve allegations relating to a 2020 healthcare data breach. UPMC had engaged CJH’s practice to provide billing-related legal services. The breach stemmed from an email intrusion on CJH’s network that potentially exposed the information of UPMC patients.

According to the initial complaint, filed by plaintiff Michael Bowen against CJH and UPMC, CJH discovered suspicious activity on its employee email system in June 2020. Further investigation revealed that an unauthorized actor had accessed several CJH email accounts between April 1 and June 25, 2020.

The breach potentially impacted 36,000 UPMC patients and exposed protected health information (PHI), including health insurance information, diagnoses, prescription information, Social Security numbers, and more.

UPMC notified patients of the breach in December 2020 and again in February 2021, when they told impacted individuals that “there is no evidence that this data was misused,” the complaint stated.

However, Bowen said he then learned that a Visa credit card account was opened in his name without his authorization. Based on probability, the plaintiff had reason to link the fraud to his involvement in the UPMC breach.

The plaintiff alleged that UPMC and CJH failed to safeguard sensitive data, violated current data security industry standards, and failed to establish adequate firewalls to handle a server intrusion.

As recent cases have shown, it is difficult for patients to prove actual harm in healthcare data breach lawsuits. This is partly due to the outcome of Ramirez v. TransUnion, in which the Supreme Court ruled that data breach victims must demonstrate actual injury and prove that the defendant’s conduct caused the damage in order to claim Article III standing.

UPMC and CJH denied all allegations, but CJH agreed to a $450,000 settlement to cover claims submitted by class members. In 2021, UPMC settled another class-action lawsuit filed over a 2014 data breach and agreed to pay $2.65 million.

Next Steps

Dig Deeper on Healthcare data breaches