Searching over 5,500,000 cases.


searching
Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Dittman v. UPMC

Superior Court of Pennsylvania

January 12, 2017

BARBARA A. DITTMAN, GARY R. DOUGLAS, ALICE PASTIRIK, JOANN DECOLATI, TINA SORRENTINO, KRISTEN CUSHMAN AND SHANNON MOLYNEAUX, INDIVIDUALLY AND ON BEHALF OF ALL OTHERS SIMILARLY SITUATED, Appellants
v.
UPMC D/B/A THE UNIVERSITY OF PITTSBURGH MEDICAL CENTER, AND UPMC MCKEESPORT, Appellees

         Appeal from the Order Entered May 28, 2015 In the Court of Common Pleas of Allegheny County Civil Division at No(s): GD14-003285

          BEFORE: OLSON, STABILE AND MUSMANNO, JJ.

          OPINION

          OLSON, J.

         Appellants, Barbara Dittman, Gary Douglas, Alice Pastirik, Joann Decolati, Tina Sorrentino, Kristin Cushman, and Shannon Molyneaux, individually and on behalf of all others similarly situated, [1] appeal from the May 28, 2015 order sustaining preliminary objections on behalf of UPMC. After careful review, we affirm.

         We summarize the relevant factual background and procedural history as follows. Appellants brought an action for negligence and breach of contract against UPMC after a data breach, wherein the names, birth dates, social security numbers, tax information, addresses, salaries, and bank information of approximately 62, 000 UPMC employees and former employees were accessed and stolen from UPMC's computer systems ("the data breach"). The stolen information was used to file fraudulent tax returns and steal the tax refunds of certain employees. The digitally-stored data consisted of personal information that UPMC required employees to provide as a condition of their employment.

         The exact manner in which the data breach occurred is unknown. The manner in which UPMC announced the data breach to the public and employees suggested that it was unaware of the breach, its scope, or both. In its first confirmation of the data breach in February 2014, UPMC stated that only 22 employees were affected. In March 2014, UPMC reported 322 employees' information had been stolen. In April 2014, it confirmed that information for up to 27, 000 employees was compromised and at least 788 of those employees had been victims of tax fraud. Finally, in May 2014, UPMC announced that the data breach compromised information from all of its employees.

         Appellants assert that UPMC owed a legal duty to protect their personal and financial information. They also allege that UPMC failed to keep their information safe and prevent vulnerabilities in its computer system. Specifically, they allege UPMC failed to properly encrypt data, establish adequate firewalls, and implement adequate authentication protocols to protect the information in its computer network. Appellants assert that UPMC's failure to safeguard their information was the direct and proximate cause of actual damages sustained from the filing of fraudulent tax returns using their stolen information. Appellants further allege that UPMC's failure to protect their information put them at an increased and imminent risk of becoming victims of identity theft crimes, fraud, and abuse in the future. This resulted in monetary damages incurred to protect themselves and their information.

         Appellants brought actions for both negligence and breach of implied contract. These claims were brought on behalf of two separate but overlapping classes of similarly situated persons. The first proposed class included those current and former employees of UPMC who have already been victimized by identity theft resulting from the data breach. The second proposed class included those individuals whose personal and financial information has been stolen, and who are at an increased and imminent risk of becoming victims of identity theft crimes, fraud, and abuse as a result of the data breach.

         Appellants filed a class action complaint on February 27, 2014, to which UPMC filed preliminary objections on April 30, 2014. Appellants then filed the first amended class action complaint on May 16, 2014. UPMC filed renewed preliminary objections and Appellants responded by filing their second amended class action complaint on June 25, 2014. UPMC again filed preliminary objections, arguing the second amended complaint should be dismissed on the grounds that Appellants lacked standing to assert claims on behalf of individuals who had not yet been injured. UPMC further asserted that Appellants' negligence and breach of implied contract claims fail as a matter of law. Appellants responded in opposition.

         The parties appeared for oral argument on UPMC's preliminary objections on October 22, 2014. The trial court then ordered both parties to file supplemental briefs on the issue of whether UPMC owed a duty to its employees with respect to the handling of their personal and financial data which UPMC requires employees produce. On May 28, 2015, the court sustained UPMC's preliminary objections and dismissed both claims. This timely appeal followed.[2]

         Appellants present three issues for our review:

1. Does an employer have a legal duty to act reasonably in managing its computer systems to safeguard sensitive personal information collected from its employees, when the employer elects, for purposes of its own business efficiencies, to store and manage such sensitive employee data on its internet-accessible computer system, leaving it vulnerable to computer hackers, in the absence of reasonable safeguards?
2. Can a tort claim for negligence be maintained when the alleged losses, while admittedly purely economic in nature, result from the breach of a legal duty recognized by common law, and not from a duty arising under a contract?
3. Is there an implied agreement between an employer and its employees requiring the employer to act reasonably to safeguard its computer systems when the employer requires its employees, as a condition of employment, to provide sensitive personal information and then elects, for purposes of its own business efficiencies, to store and manage such sensitive employee data on its internet-accessible computer system, leaving it vulnerable to computer hackers, in the absence of such reasonable safeguarding?

         Appellants' Brief at 3-4.[3]

         In our review of a trial court's order sustaining preliminary objections in the form of a demurrer, we must consider all well-pleaded facts set forth in the complaint, and all inferences, in the light most favorable to the non-moving party. Seebold v. Prison Health Servs., Inc., 57 A.3d 1232, 1243 (Pa. 2012). Our standard of review is limited to deciding whether, based on the facts and inferences, "the law says with certainty that no recovery is possible." Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270, 274 (Pa. 2005). We will reverse the trial court's order sustaining preliminary objections only if there is a clear abuse of discretion or an error of law. Soto v. Nabisco, Inc., 32 A.3d 787, 790 (Pa. Super. 2011).

         Appellants first argue that the trial court erred in finding that UPMC did not owe a duty of reasonable care in its collection and storage of the employees' information and data. Appellants' Brief at 21. Whether a duty exists is a question for the courts to decide. R.W. v. Manzek, 888 A.2d 740, 746 (Pa. 2005). To determine whether a duty of care exists, we look to the five factors set out in our Supreme Court's decision in Althaus ex. rel. Althaus v. Cohen, 756 A.2d 1166, 1169 (Pa. 2000) and reaffirmed in Seebold, 57 A.3d at 1243. Those factors are:

1. the relationship between the parties;
2. the social utility of the actor's conduct;
3. the nature of the risk imposed and foreseeability of the harm incurred;
4. the consequences of imposing a duty upon the ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.