An employee's lawsuit over UPMC's personal data breach has a chance of going where no similar lawsuit has gone before: to trial, a legal expert said.

“I think this lawsuit has a chance,” said David Thaw, an assistant professor of law and information sciences at the University of Pittsburgh.

Most lawsuits over data breaches focus on money and get thrown out because they seek compensation for damages that might be incurred or that cannot be tied conclusively to the data breach, he said.

But Alice Patrick's lawsuit seeks 25 years of credit and bank monitoring, credit restoration services and identity theft insurance.

Patrick, a dialysis clinician at UPMC McKeesport, sued on Friday in federal court in Pittsburgh on behalf of 27,000 UPMC employees whose personal information was compromised during a data breach discovered this year.

Patrick's lawyer, Sunshine Fellows, and UPMC spokeswoman Susan Manko declined to comment.

Thaw, who's moving to Pittsburgh from the University of Connecticut, based his comments on a description of the lawsuit because he did not have computer access to read it. From the description, it's unique, he said.

“I haven't seen a major (data breach) lawsuit taking this approach,” he said.

The lawsuit claims the medical giant and its payroll processor, Ultimate Software Group Inc. of Weston, Fla., were negligent in the security measures they took to protect employee information.

In particular, they failed to meet Federal Trade Commission standards for login, encryption and firewall protections, the lawsuit states.

Credit monitoring services typically start at $10 a month. Covering 27,000 employees at that rate for 25 years, UPMC and Ultimate Software would end up spending $81 million.

The lawsuit does not say whether the McKeesport resident was one of the employees whose personal information thieves used to file at least 788 false tax returns in an attempt to steal money from the Internal Revenue Service.

Even without the lawsuit, the data breach could end up costing UPMC more than $5 million. The average cost is $201 per record, figuring in such things as the cost of an investigation and typical one-year periods of credit monitoring, said Larry Ponemon, president and founder of Michigan-based Ponemon Institute, which researches cybercrime issues.

The institute annually interviews information technicians, security officers and other top officials at more than 250 companies internationally to come up with its estimates.

Its 2014 study shows the average breach involved about 29,000 records, he said.

Seeking 25 years of credit monitoring is somewhat unusual, Thaw said. Most of the cases he's familiar with include credit monitoring agreements ranging from six months to five years.

Brian Bowling is a staff writer for Trib Total Media. He can be reached at 412-325-4301 or bbowling@tribweb.com.

---

Copyright ©2025— Trib Total Media, LLC (TribLIVE.com)

---