by: John F. Barrett, Esquire

On November 21, 2018, the Supreme Court of Pennsylvania[1] published an opinion reversing the lower trial and appellate court’s holdings in the case of Barbara A. Dittman, et al. v. UPMC d/b/a The University of Pittsburgh Medical Center, 43 WAP 2017, (PA 2018) (Westlaw case description not yet assigned).  The Plaintiffs in the lawsuit claim that the personal and financial information (including names, dates of birth, social security numbers, home addresses, tax and bank account information) of all 62,000 University of Pittsburgh Medical Center (UPMC) employees was stolen from UPMC’s computer system.[2]  The Supreme Court of Pennsylvania’s holding in that case eliminated a major defense to privacy breach actions and unleashed a flood of new cases.

 The employees claimed that UPMC was negligent in configuring its firewalls and servers to establish sufficient authentication protocols.  These omissions allowed the breach to occur.  The employees contended that UPMC violated administrative guidelines and widely accepted industry security standards.  Opinion at 3.  With regard to damages, the employees pled that they were at an “increased and imminent risk” of identity theft and fraud as well as damages related to fraudulently filed tax returns.   Opinion at 3.

 A brief discussion of damages is in order at this point.  Unlike many of the recent opinions from federal litigation, the Pennsylvania Supreme Court did not inquire deeply into the damage allegations, but accepted them as pled.  In contrast, in the seminal case of Spokeo v. Robbins, 136 S. Ct. 1540 (2016), the United States Supreme Court found that plaintiffs could not satisfy the standing[3] requirement of “injury in fact” by mere allegations of a technical violation of a privacy related statute such as the Fair Credit Reporting Act of 1970 (FCRA), 16 USC §1681e(b). The court noted that an injury must be concrete and actually exist, not merely be a potential or abstract damage.  Spokeo, 136 S. Ct. at 1549.

In contrast, in a recent federal case from Pennsylvania the Third Circuit Court of Appeals (Federal Appellate Court for NJ, PA, DE, and USVI) found that the theft of two laptops containing PHI and PII from Horizon Healthcare customers was sufficient to satisfy Article III standing to constitute a potential violation of the FCRA.  In Re: Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625 (2017).  The Court’s rationale was that the plaintiffs were at risk of future injury due to the thefts.  It is difficult to square this opinion with Spokeo, although the Third Circuit Court of Appeals attempted to distinguish Spokeo from its case.

 In a similar case also involving theft of customer PHI/PII from a healthcare provider, a different federal circuit court of appeals (the Federal District Court of Appeals for the District of Columbia) reached a similar result as did the Third Circuit.  See Attis v. Care First, 2017 WL 3254941 (D.C. 2017).  Again, the Court found that risk of future damage due to the theft was sufficiently concrete.  Both federal appeals courts lowered the barrier for standing by accepting risk of future financial harm as sufficient.

 While the Third Circuit and District Columbia of Courts of Appeal have permitted cases including “risk of future injury” to go forward, on December 5, 2018 an Ohio Federal Court took a more conservative view.  In Williams-Diggins v. Mercy Health, Case No. 3:16-cv-01938 (U.S. District Court for the Northern District of Ohio), the court refused to per a potential class action case over a breach to proceed.  In that case, the plaintiffs alleged that Mercy Health had permitted its patient data to be exposed on outdated servers.  The plaintiffs did not contend that the data had actually been taken and misused, merely that it could have been accessed and could be misused in the future.

 The Ohio District Court held that potential exposure/theft was insufficient to permit the case to go forward based on the Spokeo requirement that a plaintiff must allege a concrete injury to allow his or her case to proceed in Federal Court.  The claims of damage in the Dittman case were somewhat more concrete, in that the information was known to have been stolen and plaintiffs alleged that the information had already been misused to the financial detriment of the particular plaintiffs.

 Prior to the Supreme Court of Pennsylvania’s opinion, the lower Pennsylvania courts had found that UPMC had neither contractual nor common law duties to its employees.  Lacking a duty, no negligence claim could be made against UPMC (since duty is the first required element of a negligence claim).  The Supreme Court of Pennsylvania agreed that there was no basis for any contractual claims (and the plaintiffs seemed to have conceded this point).  Next, UPMC, as the employer, contended that to impose a duty under the common law to protect the data of its employees would be imposing a new duty upon an employer that would become an untenable burden.

 The Supreme Court of Pennsylvania disagreed with both the Superior Court, the trial court and the employer, UPMC.  The Supreme Court of Pennsylvania reversed the lower courts and held that allowing the case to proceed would not impose or create a new duty on employers.  The Supreme Court of Pennsylvania stated it was simply applying the existing analysis of duty to a novel factual scenario.  Dittman, Opinion at 15.  As plaintiffs correctly pled the other elements of a negligence claim, the Supreme Court of Pennsylvania permitted the case to proceed, returning it to the trial court for further disposition.

 The Supreme Court of Pennsylvania began its opinion by noting that the employees were required to turn over the PHI/PII as a condition of their employment.  The Court then went on to hold that the employer, having undertaken this affirmative conduct, then acquired a duty to “exercise the care of a reasonable man to protect them against an unreasonable risk of harm to them arising out of the act”, quoting the comment to Section 302 of the Restatement (Second) of Torts.  Dittman, Opinion at 16.

 UPMC also raised the criminal action as a bar to the lawsuit which was rapidly disposed of by the Supreme Court of Pennsylvania as an inadequate defense, given the ubiquity of information systems and the requirements to provide the PHI/PII.  Opinion at 18.  In the Supreme Court of Pennsylvania’s opinion, UPMC should have anticipated attempts to access the information.  Unlike a normal criminal act, this one should have been anticipated.  Thus, the crime could not serve as a defense.  It is the holding by the Supreme Court of Pennsylvania on an affirmative defense that constitutes a real change in the law.

 UPMC contended that the Pennsylvania “Economic Loss” Doctrine barred the plaintiffs’ claims. Without delving too deeply into the unique peculiarities of Pennsylvania law, negligence tort claims that result solely in “Economic Loss”, unaccompanied by physical injury or property damage are barred by Pennsylvania law. The Supreme Court of Pennsylvania recounted the history and details of its prior decisions on the “Economic Loss” doctrine and reminded the parties that not all economic losses are barred by the doctrine, simply because the action sounds in tort rather than contract law.  The court reiterated prior decisions that held that if a duty arises “independently of any contractual duties between the parties, then a breach of that duty may support a tort action”.  Opinion at 26.

 In conclusion, the Court found that UPMC breached its common law duty to act reasonably in safeguarding the employees PHI/PII.  This duty exists independent of any contractual obligations.  The Supreme Court of Pennsylvania found that the plaintiffs’ claims were not barred by the Economic Loss doctrine (even though the tort claims resulted solely in economic injury) and reversed the underlying courts’ decisions.  While the Supreme Court of Pennsylvania may well write in its own opinion that the Dittman decision does not constitute a significant deviation from prior decisions and merely an application of existing doctrine to new factual scenarios, this conclusion is belied by the lower courts’ opinions and prior case law.

 The decision of the Supreme Court of Pennsylvania in Dittman significantly lowers the barrier for claims by plaintiffs for breaches of privacy and loss of PHI/PII.  Such cases are now far more likely to survive preliminary motions to dismiss.  The watering down of the defense of the Economic Loss doctrine (if not its outright elimination) is a watershed event in Pennsylvania law.  Insurance carriers, employers and public companies in all business sectors and of every size should anticipate new and more frequent tort claims from even relatively minor breaches that cannot be defended with the Economic Loss doctrine. 

For any questions regarding the foregoing, please do not hesitate to contact John F. Barrett at barrett@bbs-law.com, Chair of Bennett Bricklin & Saltzburg LLC’s Privacy and Data Security Practice Group.

 

[1] The highest state court in Pennsylvania.

[2] UPMC is the large medical system in western Pennsylvania.

[3] Standing is the legal right to bring a lawsuit, which requires a plaintiff to plead an injury (damages).