Ransomware Data Breach Lawsuit Against Sarrell Regional Dental Center Tossed by Federal Judge

A lawsuit filed against Sarrell Regional Dental Center for Public Health Inc. over a July 2019 ransomware attack has been dismissed by a Federal judge due to a lack of standing.

Sarrell was able to recover from the attack and restore its computer systems and data without paying the ransom, although the dental center was forced to close for two weeks while its systems were restored. No evidence was found to indicate patient data was accessed or downloaded from its systems, although it was not possible to rule out a data breach with 100% certainty so notification letters were sent to the 391,000 patients whose personal and protected health information (PHI) was potentially compromised.

A lawsuit was filed against Sarrell in 2019 on behalf of patients affected by the attack. The lawsuit sought class action status and damages for patients whose PHI was potentially compromised in the attack. The lawsuit alleged patients faced a higher risk of identity theft as a result of the attack and had to cover the cost of credit monitoring services.

Judge R. Austin Huffaker Jr. stated in his ruling that while the extent and depth of the breach were “murky”, Sarrell had conducted an investigation into the attack and found no evidence that files containing protected health information had been accessed or exfiltrated by the attackers and there was no evidence patient information had been misused in any way.

The lawsuit alleged the ransomware attack was a direct result of the failure of Sarrell to implement reasonable cybersecurity procedures and protocols and patients’ personal and protected health information was now likely in the hands of identity thieves. Consequently, patients affected by the breach had to spend time and money protecting themselves against identity theft and fraud. However, Judge Austin Huffaker viewed the claims as speculative, since the plaintiffs failed to provide “at least some plausible specific allegation of actual or likely misuse of data.”

Since the plaintiffs and putative class members failed to allege they had suffered identity theft or fraud as a result of the ransomware attack, there were insufficient grounds to sue Sarrell for the security breach. “The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide plaintiffs with standing to sue,” wrote Judge Austin Huffaker. “The plaintiffs fail to allege that they or members of the putative class have suffered actual identity theft. Instead, their pleading speaks of ‘possibilities’ and traffics in ‘maybes’.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.