Dittman, B. v. UPMC, 154 A.3d 318

UPMC stored sensitive personal and financial data (names, birthdates, SSNs, tax and bank info) of ~62,000 current and former employees; that data was later stolen in a data breach and used to file fraudulent tax returns for some victims.
Appellants (employees) sued UPMC for negligence and breach of implied contract on behalf of two classes: those already victimized by identity theft and those at increased risk from the breach.
Plaintiffs alleged UPMC failed to implement reasonable cybersecurity safeguards (encryption, firewalls, authentication) and that this breach caused economic losses and increased future identity-theft risk.
UPMC filed preliminary objections arguing lack of duty, economic-loss-bar, and no implied contract; the trial court sustained objections and dismissed both claims; plaintiffs appealed.
The Superior Court applied the five-factor Althaus duty test and concluded (after weighing relationship, social utility, foreseeability, consequences of imposing a duty, and public interest) that no legal duty to protect against this type of third-party data theft existed on the facts pled.
The court also held the Bilt‑Rite exception to the economic-loss doctrine did not apply and that plaintiffs alleged no objective manifestations of an implied contract or consideration to support a breach-of-implied-contract claim.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Whether employer owes legal duty to reasonably safeguard employee data stored on internet-accessible systems	UPMC had a duty to protect employees' sensitive data collected as condition of employment; negligent storage caused foreseeable harm	No judicial duty should be imposed for generalized cybersecurity risks absent specific notice of vulnerability; legislature already addresses breach notification	No duty found under Althaus factors given facts pled; duty not imposed
Whether negligence claim can recover purely economic losses (economic-loss doctrine)	Plaintiffs say tort recovery is available because breach of a common-law duty was pleaded; Bilt‑Rite permits economic recovery in some tort contexts	Economic-loss doctrine bars negligence claims for purely economic harm unless a legal duty or special relationship exists; Bilt‑Rite exception is narrow	Economic-loss doctrine bars the claim because no legal duty or special relationship was shown; Bilt‑Rite exception inapplicable
Whether an implied contract existed requiring UPMC to protect employee data	Implied contractual duty arises from employer requiring data and thus assuming responsibility for its protection	No objective manifestations of assent, and no consideration given for data safekeeping (data provided for employment)	No implied contract; dismissal proper

Seebold v. Prison Health Servs., Inc., 57 A.3d 1232 (Pa. 2012) (standard for reviewing preliminary objections and discussing Althaus duty analysis)
Althaus ex rel. Althaus v. Cohen, 756 A.2d 1166 (Pa. 2000) (five-factor test for whether a legal duty exists)
Bilt-Rite Contractors, Inc. v. The Architectural Studio, 866 A.2d 270 (Pa. 2005) (narrow exception allowing recovery of economic loss in tort in limited circumstances)
Ford v. Jeffries, 379 A.2d 111 (Pa. 1977) (criminal acts of third parties may be superseding causes unless defendant realized or should have realized the risk)
Phillips v. Cricket Lighters, 841 A.2d 1000 (Pa. 2003) (Althaus factors require balancing; no single factor is dispositive)