Client Alert-Pennsylvania Hospital System Suffers Costly Hack

May 21, 2021
  • FisherBroyles News

A copy of this Client Alert can be found HERE .


A six-year long investigation by the IRS, Secret Service, and U.S. Postal inspectors has culminated in a guilty plea by a Michigan man in the hack of personnel records of over 65,000 employees of the University of Pittsburgh Medical Center (UPMC). UPMC is the largest health care provider in the State of Pennsylvania.

Over the course of several months in 2014, Justin Johnson, otherwise known as “The DearthStar” and “Dearthy Star” on the dark web, exploited UPMC’s PeopleSoft HR software to gain access to employees’ personal information. Johnson then sold the information on the dark web, where the data was used by other criminals in Venezuela and elsewhere to file over 1300 false Form 1040 federal income tax returns. The returns resulted in over $1.7 million in false refunds.

While it is noteworthy that Johnson was ultimately caught and brought to justice, those in the health and pharmaceutical industries should also note an additional consequence of the hack—a class action lawsuit brought by UPMC employees against their employer over the hospital network’s failure to protect their personal information.

The lawsuit, currently in settlement negotiations, went all the way to the Pennsylvania Supreme Court. While the suit failed in the lower courts, the Supreme Court ultimately held that UPMC’s collection of its employees’ personal information meant that it could be held to a higher standard of care in the protection of that information from data breaches, indicating the UPMC’s duty to protect arose from common law principles of negligence, The decision placed UPMC on the hook for potentially significant monetary damages, the extent of which will be determined through the ongoing settlement discussions.

The FisherBroyles Pharmacy and Health Care Law team is pleased to keep you updated on events of interest to those in the healthcare, medical device, and pharmaceutical industries.

For questions related to the subject matter of this alert, and cybersecurity issues in general, please contact any of the listed attorneys.

Brian E. Dickerson  [email protected]    202.570.0248

Anthony J. Calamunci  [email protected]   419.376.1776

Nicole Hughes Waid  [email protected]   202.906.9572

Amy L. Butler  [email protected]   419.340.8466

About FisherBroyles, LLP

Founded in 2002, FisherBroyles, LLP is the first and world’s largest distributed law firm partnership. The Next Generation Law Firm® has grown to hundreds of partners practicing in 23 markets globally. The FisherBroyles’ efficient and cost-effective Law Firm 2.0® model leverages talent and technology instead of unnecessary overhead that does not add value to our clients, all without sacrificing BigLaw quality. Visit our website at to learn more about our firm’s unique approach and how we can best meet your legal needs.

These materials have been prepared for informational purposes only, are not legal advice, and under rules applicable to the professional conduct of attorneys in various jurisdictions may be considered advertising materials. This information is not intended to create an attorney-client or similar relationship. Whether you need legal services and which lawyer you select are important decisions that should not be based on these materials alone.

© 2021 FisherBroyles LLP