Florida Firm Denies Link to UPMC Data Breach

A University of Pittsburgh Medical Center employee has sued the hospital network for credit restoration services and identity theft insurance in the wake of a data breach that has seen hackers use the personal information of hundreds of employees to file bogus federal income tax returns.

Alice Patrick, who works at UPMC McKeesport hospital, filed her lawsuit against UPMC and Ultimate Software Group Inc., of Weston, Florida, on Friday in U.S. District Court. UPMC isn’t commenting, but an executive with a Florida payroll processing firm is denying the company has anything to do with the data breach affecting as many as 27,000 UPMC employees.

Mitchell Dauerman, the company’s executive vice president, said he doesn’t believe UPMC or any of its subsidiaries are clients of Ultimate Software, and may have been sued by mistake.

The hospital has confirmed the data breach may have compromised the personal information of 27,000 of its 62,000 employees – including nearly 800 who’ve had bogus tax returns filed using their personal information.

Patrick’s lawsuit is unusual because she’s not seeking monetary damages, but rather identity theft protection going forward, according to David Thaw, a professor of law an information sciences at the University of Pittsburgh.

Thaw told the Pittsburgh Tribune-Review, which first reported the lawsuit, this is the first major lawsuit he’s seen in which the plaintiff doesn’t seek monetary damages. Rather, Patrick and her attorneys – who are seeking class-action status on behalf of all similarly affected employees – want the defendants to pay for 25 years of credit and bank monitoring, identity theft insurance and services to help affected employees restore their good credit.

Credit monitoring services typically cost $10 or more per month, but multiplied by the thousands of employees potentially affected over 25 years would cost millions.

Thaw said it was unusual in his experience for a plaintiff to seek 25 years’ worth of credit monitoring. Most cases he’s reviewed call for such remedies to last from six months to five years.

Federal prosecutors and Internal Revenue Service agents in Pittsburgh have been investigating the data breach. Nobody has been charged or named as a suspect so far.