Georgia Supreme Court Overturns Ruling on Athens Orthopedic Clinic Data Breach Lawsuit

A lawsuit filed against Athens Orthopedic Clinic over a June 2016 cyberattack by TheDarkOverlord has been revived by the Georgia Supreme Court.

The cyberattack in question involved the theft of patient data from the clinic. A ransom demand was issued and the hacking group claimed the data would be returned if the ransom was paid.  The clinic refused to pay the ransom and, in response, the hacking group claimed to have sold some of the data. Later, the hacking group published a portions of the stolen data on Pastebin, where it was downloaded by others.

Three victims of the data breach, Christine Collins, Paulette Moreland, and Kathryn Strickland, alleged that since their personal data had fallen into the hands of cybercriminals, was offered for sale on the dark net, and had been downloaded by some individuals, they were placed at risk of identity theft and other types of fraud. 

One of the plaintiffs, Christine Collins, alleged there were fraudulent charges made to her credit card shortly after the cyberattack and that she had to spend time getting those charges reversed. She also had to place fraud alerts on her credit file to prevent further harm.

The plaintiffs sought damages based on the costs they had incurred arranging credit monitoring and identity theft protection services – which were not offered by the clinic – attorneys fees, and also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act.

The lawsuit was granted standing by the lower court, but Athens Orthopedic clinic filed a motion to dismiss, which was granted by the Court of Appeals. The Court of Appeals found the negligence claim was invalid, as the plaintiffs were attempting to recover damages for “an increased risk of harm.” This was considered speculative harm and did not constitute a cognizable injury under Georgia tort law.

The Supreme Court has now overturned that decision and has ruled that the plaintiffs had alleged sufficient harm for the case to survive a motion to dismiss.

“The plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is “imminent and substantial.” This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach. As this case comes before us on a motion to dismiss, we must accept this factual allegation as true,” wrote the Supreme Court in its ruling.

The Supreme Court determined the Court Of Appeals based its ruling on two other cases that were far different from the Athens Orthopedic Clinic cyberattack. In both of the cases there was no evidence to suggest that any stolen data had been obtained by cybercriminals, therefore there was no imminent and substantial risk of identity theft and fraud.

In the case of the Athens Orthopedic Clinic cyberattack, the plaintiffs’ data was stolen by a cybercriminal who threatened to sell the data, attempted to do so, and the data was downloaded by others. “At this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers.” Consequently, there is an “imminent and substantial risk” of identity theft and fraud. The Supreme Court ruled that “These allegations are sufficient to survive a motion to dismiss the plaintiffs’ negligence claims.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.