Court of Appeals Revives Chelan-Douglas Health District Data Breach Lawsuit
A Chelan-Douglas Health District data breach lawsuit that was dismissed by the Chelan County Superior Court has been revived by the Washington Court of Appeals. Chelan-Douglas Health District, the public health agency of Wenatchee Valley in Washington state, was sued in June 2022 over a cyberattack and data breach discovered in 2021 that involved the personally identifiable information (PII) and protected health information (PHI) of almost 109,000 individuals.
The lawsuit was filed by Sarah Nunley and Michelle Slater individually and on behalf of others affected by the data breach. The plaintiffs contended that they started receiving a large number of spam phone calls and emails related to medical services after the data breach, including calls from individuals claiming to be from the health district. Nunley alleged that her personal information had been used to file for an unauthorized business license. She also claims to have been notified by her credit monitoring service that her Social Security number had been posted twice on dark web sites and there had been “soft pulls” of her credit by Goldman Sachs.
The lawsuit claimed that the health district was negligent by failing to implement reasonable and appropriate safeguards to ensure the privacy of the sensitive data it gathered and stored, having been made aware in 2020 that the PII and PHI it stored were vulnerable as its security protocols were inadequate, yet failed to take appropriate action to reduce risks and vulnerabilities. The lawsuit also alleged that FBI agents contacted the health district in early May 2021 to warn about an impending cyberattack, and between May 10 and May 14, hackers attempted two separate attacks on its systems and there was an attempted phishing attack, yet even after these incidents no action was taken to improve security. Then, between July 2 and July 4, another cyberattack occurred and sensitive data was exfiltrated from its network. Had action been taken in response to the FBI warning and subsequent attempted cyberattacks the July data breach could have been prevented.
Nunley said she has spent at least 5 hours mitigating the effects of the data breach and has suffered emotional distress due to the theft of her PHI. Both plaintiffs allege an actual injury in the form of a diminution in the value of their PII and the impending injury from the increased risk of fraud. Chelan-Douglas Health District filed a motion to dismiss the lawsuit as the plaintiffs failed to allege a duty of care was owed to them by the health district and did not plead cognizable damages. Chelan County Superior Court Judge Kristin Ferrera dismissed the lawsuit with prejudice for the failure to state a claim upon which relief could be granted.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The plaintiffs appealed the decision and a three-judge appellate panel sided with the plaintiffs and reversed the decision. Acting Chief Judge Tracy Staab, writing on behalf of the appellate panel said, “We hold that companies that collect and store personal identifiable information (PII) and personal health information (PHI) have a duty to use reasonable care in collecting and storing the information. This duty includes taking reasonable steps to prevent unauthorized access and disclosure of the information.” The lawsuit now returns to the Chelan County Superior Court, although Chelan County Health District has the right to appeal the reversal with the Washington Supreme Court.
