University of Pittsburgh Medical Center Paid $450,000 to Settle Data Breach Lawsuit

University of Pittsburgh Medical Center has made the decision to negotiate a class action data breach lawsuit. It will set aside $450,000 to pay for claims from persons who have had losses because of the theft and improper use of their protected health information (PHI).

The data breach affected around 36,000 persons and an unauthorized third party accessed and stole their protected health information from April 2020 to June 2020. The breach happened at Charles J. Hilton PC, (CJH), UPMC’s legal counsel that handled its billing. The compromised information was kept within the company’s email environment and included names, birth dates, Social Security numbers, financial data, ID numbers, signatures, insurance details, and medical data. The data breach was discovered in June 2020; nevertheless, breach notifications were mailed to impacted people only in December 2020.

Although a lot of speculative lawsuits are filed against healthcare providers and their business associates concerning the exposure of patient records, in this situation, the plaintiff was defrauded right after the breach, which was as a result of his information being stolen in the data breach that happened at CJH. The hacker opened an Amazon credit card account using his name. The plaintiff stated he had to spend a significant amount of time dealing with the misuse of his personal data and PHI. The lawsuit asserted that UPMC and CJH failed to do their duty to safeguard patient information and had not put in place reasonable and proper safeguards to protect their private information.

UPMC and CJH did not accept any wrongdoing or liability however consented to resolve the case. Under the conditions of the settlement, class members can file a claim for a $250 cash payment as compensation for documented out-of-pocket expenditures related to the security breach and may send claims for as much as $2,500 to get back fraudulent charges and costs associated with identity theft, including $30 for undocumented time expended taking care of the breach. 12 months of complimentary credit monitoring, identity theft, and dark web monitoring services will additionally be offered to class members. Claims should be filed no later than September 3, 2022.

A year ago, UPMC paid $2.65 million to settle. The lawsuit was filed on behalf of 27,000 workers affected by a data breach in February 2014.

About Christine Garcia 1309 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at