Victims Can Sue Ortho Clinics if Data Hacked

The Georgia Supreme Court has ruled that the victims of a data breach at an orthopedic clinic may sue the clinic for damages.

Georgia’s highest court concluded that “the plaintiffs’ negligence claim should not have been dismissed” and “the injury the plaintiffs allege that they have suffered is legally cognizable.” This ruling reverses the Georgia Court of Appeals decision affirming the trial court’s decision to grant the clinic’s motion to dismiss the plaintiffs’ negligence claims.

Georgia courts have previously held that plaintiffs failed to show a legally cognizable injury where personal information is exposed but has not fallen into criminal hands or been used to the consumers’ detriment. However, the Georgia Supreme Court found that the facts in this case differ because there are allegations of large-scale criminal activity and the plaintiffs’ personal information was not just exposed, it was actively stolen by a hacker.

In June 2016, an anonymous hacking group known as the “Dark Overlord” hacked into Athens Orthopedic Clinic, P.A.’s computer databases. Dark Overlord stole the personal information of at least 200,000 patients, including social security numbers, addresses, birth dates, and health insurance details. The group demanded a ransom, but Athens Orthopedic Clinic refused to pay.

Dark Overlord then made some of the personal information available for sale on the “dark web.” The group also made some of the personal information available, at least temporarily, on Pastebin, a data-storage website designed for the sharing of large amounts of data online. Athens Orthopedic Clinic notified its patients of the breach in August 2016 and advised patients to set up anti-fraud protections.

In January 2017, three of the hacking victims sued the clinic. The plaintiffs “sought class certification and asserted claims for negligence, breach of implied contract, and unjust enrichment.” The plaintiffs sued for damages based on costs related to credit monitoring and identity theft protection, as well as attorneys’ fees. The plaintiffs also asked the courts to provide injunctive relief under the Georgia Uniform Deceptive Trade Practices Act” and “a declaratory judgment to the effect that the Athens Orthopedic Clinic must take certain actions to ensure the security of class members’ personal data in the future.”

The district court dismissed the lawsuit in June 2017, and the Georgia Court of Appeals affirmed that decision, ruling that “costs of prophylactic measures” were “not recoverable damages.”

This new Georgia Supreme Court decision means that the case can move forward. However, the court did suggest that it should be up to the legislature to determine how best to handle such cases in the future.

Incidents of cyber hacking have been on the rise and are being actively investigated. Nathan Wyatt was recently extradited from the United Kingdom to the Eastern District of Missouri and arraigned on December 18, 2019. Wyatt is alleged to have a role in “The Dark Overlord” hacking in Missouri dating back to 2016. He faces charges of aggravated identity theft, threatening to damage a protected computer, and conspiring to commit those and other computer fraud offenses.

For OTW’s previous coverage of this cybersecurity case, see “Can Clinic Data Breach Victims Sue if No Financial Loss?”