United States: Employees Can't Sue Hospital For Negligence, Breach Of Contract, After Personal Data Breach

In a favorable decision for defendants in data breach litigation, the Pennsylvania Court of Common Pleas of Allegheny County held that the economic loss doctrine prevented the negligence claim of a group of former and current UPMC employees from going forward in their suit arising out of the theft of information from UPMC's computer systems. The economic loss doctrine precludes negligence claims where the negligence results "solely in economic losses unaccompanied by physical injury or property damage," explained Judge R. Stanton Wettick, Jr. In so holding, the court indicated that the theft of personal information, including salaries, Social Security numbers, tax and bank account information, birth dates, and addresses, constituted a loss that was purely economic in nature.

The plaintiffs also asserted a breach-of-contract claim against UPMC, but the court found that they had not shown UPMC had agreed to be liable to employees for the criminal acts of third parties. The court found plaintiffs had not shown a meeting of the minds sufficient for the existence of an implied contract. Thus, the court sustained UPMC's preliminary objections as to the breach-of-contract claim, in addition to the negligence claim.

Along with dismissing the plaintiffs' negligence claim, the court declined to "alter the direction of the General Assembly" by recognizing a duty of care permitting the recovery of damages, similar to those existing in common law negligence actions, in data breach claims. The court observed that the General Assembly had only chosen to impose a duty of notification of data breaches in the Breach of Personal Information Notification Act, and stated it would not be appropriate for judges to create any new duties because "public policy is a matter for the Legislature."

Judge Wettick incorporated into his opinion parts of UPMC's supplemental brief stating that prior to enacting the Data Breach Act, the General Assembly "extensively considered data breaches and the issues related thereto," but declined to create a private cause of action for individuals or establish a duty of protection. Looking to the Act's legislative history, UPMC also noted that an "expansive civil liability provision" was considered but ultimately rejected.

Although Judge Wettick acknowledged that judicial policymaking was appropriate in some instances, he ultimately concluded that he could not say "with reasonable certainty that the best interests of society would be served through the recognition of new affirmative duties of care imposing liabilities on health care providers and other entities electronically storing confidential information, the financial impact of which could even put these entities out of business."

This article is presented for informational purposes only and is not intended to constitute legal advice.