Dittman v. UPMC (majority)Annotate this Case
The Pennsylvania Supreme Court granted discretionary review in this matter to determine whether an employer has a legal duty to use reasonable care to safeguard its employees’ sensitive personal information that the employer stores on an internet-accessible computer system. Barbara Dittman, individually and on behalf of all others similarly situated (collectively, Employees), filed the operative class action complaint in this matter against UPMC d/b/a the University of Pittsburgh Medical Center and UPMC McKeesport (collectively, UPMC), alleging that a data breach had occurred through which the personal and financial information, including names, birth dates, social security numbers, addresses, tax forms, and bank account information of all 62,000 UPMC employees and former employees was accessed and stolen from UPMC’s computer systems. Employees further alleged that the stolen data, which consisted of information UPMC required Employees to provide as a condition of their employment, was used to file fraudulent tax returns on behalf of the victimized Employees, resulting in actual damages. Employees asserted a negligence claim and breach of implied contract claim against UPMC. The Supreme Court held an employer has a legal duty to exercise reasonable care to safeguard its employees’ sensitive personal information stored by the employer on an internet- accessible computer system. Furthermore, the Court held that, under Pennsylvania’s economic loss doctrine, recovery for purely pecuniary damages is permissible under a negligence theory provided that the plaintiff can establish the defendant’s breach of a legal duty arising under common law that is independent of any duty assumed pursuant to contract. As the Superior Court came to the opposite conclusions, the Supreme Court vacated its judgment.