Payments to begin for UPMC employees who fell victim to data breach

UPMC on Thursday will begin making payments to 66,000 employees who were victims of a 2014 data breach — as part of a settlement approved late last year.

Employees were notified via an email on Monday that they will receive a payment notification with a link to claim it electronically. They are expected to receive between $10 and $20.

UPMC did not immediately respond for a request for comment.

Several employees filed a class-action lawsuit against UPMC in February 2014 after they learned that the health care giant’s payroll system had been breached and their personal data stolen. They alleged negligence and breach of contract, claiming that UPMC had a duty to protect the information.

A federal investigation showed that Justin Sean Johnson, an expert in the PeopleSoft software used by UPMC, was able to hack their employee database. He took the employees’ personal information and sold it on the dark web. Ultimately, according to the U.S. Attorney’s office, hundreds of false tax returns, totaling more than $1.7 million, were filed based on the breach.

Johnson, of Michigan, pleaded guilty in federal court in May to conspiracy and aggravated identity theft. He was sentenced in October to serve seven years in prison, three years of supervised release and pay restitution of $987,090.

According to a website dedicated to the settlement, UPMC will pay $1,679,000 into an escrow account to compensate the class members. Employees must claim their electronic payment by April 15. Otherwise a check will be sent four to six weeks later, the email said.

Any employees who experienced fraud or identify theft will be reimbursed up to $5,000 for out-of-pocket losses and up to $250 for any inconvenience experienced, the settlement said. In addition, UPMC also offered Lifelock credit monitoring to all employees for five years.

Also as part of the settlement, the health system will pay nearly $1 million to cover attorney fees and costs, and $3,000 each to the seven class representatives.

A year after the lawsuit was filed, retired Allegheny County Common Pleas Judge R. Stanton Wettick threw it out, ruling that there was no cause of action for negligence that does not result in physical injury or property damage.

The state Superior Court upheld Wettick’s decision in 2017. A year later, the Pennsylvania Supreme Court reversed the decision, finding that an employer has a legal duty to exercise reasonable care in safeguarding its employees’ personal information.

The parties reached a settlement in July, which was approved by the court on Dec. 29.

“UPMC denies any wrongdoing whatsoever, and this agreement shall in no event be construed or deemed to be evidence in any other litigation …” it said.

As part of the settlement agreement, UPMC said it undertook cybersecurity improvements in response to the data breach, including engaging a firm to assess its security practices and make improvements, such as greater authentication measures and increased encryption efforts. In addition, UPMC hired additional cybersecurity professionals for its information security team.