An attorney seeking to represent all of the victims of a breach of UPMC personnel data claimed Saturday that the damage from the compromise of personal information has yet to be calculated, and could continue to worsen. A company faulted in his lawsuit, meanwhile, suggested that it may not have any business relationship with UPMC, and hinted at a countersuit.
Attorney Benjamin Sweet and others from his North Shore firm, Carlson Lynch, plus attorneys at Downtown-based Kraemer, Manes & Associates, on Friday sued UPMC and Ultimate Software Group of Weston, Fla., over the loss of employee data and subsequent identity thefts. They seek class-action status in U.S. District Court, and would represent current and former UPMC employees who have been affected by the breach.
"We find it extremely troubling that when UPMC first confirmed the identity thefts in February, it claimed that only about 20 workers were affected," wrote Mr. Sweet, in response to questions from the Post-Gazette. "Now, UPMC has admitted that the personal and financial information of more than 27,000 workers has been compromised, and that at least 788 of those have already been the victims of tax fraud."
The lawsuit, filed Friday, claims that UPMC and human resources vendor Ultimate Software "violated federal guidelines and failed to meet current data security industry standards by failing to ensure adequate security" of employee personal and financial information. That amounts to negligence and breach of the implied contracts between UPMC entities and their employees, the lawsuit claims.
A UPMC spokeswoman declined comment. The hospital system has maintained that no patient information has been leaked, and that it is working with the IRS, Secret Service and FBI to determine the source of the breach.
Ultimate Software executive vice president Mitchell Dauerman said Saturday that his firm has not provided services to UPMC or its subsidiaries, and suspected that it has been wrongly implicated.
"UPMC is not a client of ours. We don't believe that any of its subsidiaries are clients of ours," he said. "If appropriate, we will assert our rights against those who may have falsely accused us."
Mr. Sweet could not be reached for comment on Mr. Dauerman's statement.
Alice Patrick, of McKeesport, who would be the lead plaintiff in the lawsuit, is a dialysis clinician at UPMC McKeesport, according to the complaint.
The lawsuit suggests that Ms. Patrick was among the 788 employees who, according to UPMC, were the victims of tax return fraud as a result of the breach.
In tax return fraud, someone obtains another person's vital information and uses electronic filing services to claim a tax refund in the victim's name. When the victim seeks to file a legitimate return, they find that their refund has already been collected, and must then go through a process to obtain their money that is due to them.
The lawsuit indicates that damages could exceed $5 million. It suggests that the victims must also live in fear of other forms of identity theft, since their Social Security numbers and other identifying information have been captured by others.
"At this point, we don't know how far the damage caused by this colossal data breach has extended and, what is worse, it does not appear that UPMC knows either," Mr. Sweet wrote.
The 788 stolen refunds are "just the beginning," predicted Robert Siciliano, the chief executive officer of BestIDTheftCompanys.com, based in Boston. "All of these people, and all of these socials, are at risk, for life" for refund theft and other identity theft crimes.
Mr. Siciliano said that until the past few months, no group of victims of data breaches has succeeded in court. Very recently, though, judges have "started to look at it differently," in light of the scale of data compromises nationwide.
The lawsuit against Ultimate Software and UPMC seeks monetary damages, 25 years of credit monitoring and credit restoration for the affected employees, and payment of fees and expenses associated with the litigation.
Carlson Lynch also represents nine banks in lawsuits against Target Corp., which lost the credit card information of tens of millions of shoppers last year.
Rich Lord: firstname.lastname@example.org, 412-263-1542, or on Twitter: @richelord. First Published May 10, 2014 2:09 PM