HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages.

The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord.

The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand.

The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data.

Please see the HIPAA Journal Privacy Policy

Athens Orthopedic monitored websites to determine whether patient data had been published and took steps to take down a list containing the PHI of 500 of its patients, which had been posted on PasteBin. The information was eventually removed, but during the time it was accessible online it is possible that multiple individuals copied the data. The Dark Overlord also listed data for sale online, although it is unclear whether anyone bought the dataset.

Athens Orthopedic notified its patients about the breach and advised them to contact one of the three credit reporting agencies to place a fraud alert on their credit file. Even though Social Security numbers were stolen, affected patients were not offered credit monitoring or identity theft restoration services.

A class action lawsuit was filed on behalf of three victims of the breach – Christine Collins, Paulette Moreland, and Kathryn Strickland – shortly after the breach was announced. The plaintiffs seek compensation for the time spent protecting their identifies and reimbursement of legal fees and the cost of past and future credit monitoring services.

The plaintiffs allege negligence, breach of implied contract, unjust enrichment, and violation of the Georgia Uniform Deceptive Trade Practices Act.

While victims of the breach have incurred costs, there is the issue of whether an injury has been suffered. Collins alleges she had fraudulent charges on her credit card shortly after the breach but failed to allege they were the result of the cyberattack and did not demonstrate PHI had been misused as a direct result of the breach.

The case was dismissed by the Trial Court and the Georgia Court of Appeals as the plaintiffs could demonstrate no financial loss or harm as a direct result of the cyberattack. Consequently, they are not entitled to claim damages under Georgia law. The decision was appealed, and it is now down to the Georgia Supreme Court to determine whether there are any compensable  injuries. Oral arguments were heard this week.

“By ruling that the plaintiffs have failed to allege a compensable injury, the message delivered thus far in this case has been that data-breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” argued the plaintiffs’ attorneys.

The plaintiffs allege Athens Orthopedic Clinic as not taken any steps to improve security and that “It continues to store the plaintiffs’ personally identifiable information on computer systems that employ the same lax security measures that permitted the hacker to access and steal the plaintiffs’ information.”

They also maintain their claims should not have been dismissed as “a present injury is not a required element for the plaintiffs’ breach of contract, unjust enrichment, declaratory judgment, or injunctive relief claims under Georgia law.”

The Supreme Court is expected to issue a ruling on the case – Collins Et Al. Vs. Athens Orothpedic Clinic, P.A – within the next six months. Should the Supreme Court overturn the decision of the Court of Appeals, it will have implications for data breach victims not only in the state of Georgia, but throughout the United States.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.