Georgia Justices Revive Class Action Over Clinic's Hack of 200,000 Patient Records
A unanimous Supreme Court overturned the trial judge and court of appeals after finding there was sufficient potential for future harm to keep the putative class action alive.
December 23, 2019 at 02:26 PM
5 minute read
Ruling in a case of first impression, a unanimous Georgia Supreme Court revived a putative class action involving claims by at least 200,000 current and former patients of an Athens clinic whose personal information, including names, addresses, Social Security numbers and insurance information, was stolen in a 2016 data breach.
The hackers demanded a ransom but the Athens Orthopedic Clinic refused to pay, and at least some of the patients' information was later made available on the dark web.
The plaintiff's claimed that the hack made them possible targets of identity theft and fraud, and that they had been damaged by having to place fraud alerts on their credit reports. At least one, plaintiff Christine Collins, actually had fraudulent charges made to her credit card after the breach.
A trial judge threw out the case in a bare-bones ruling on a motion to dismiss.
In 2018, a divided Court of Appeals panel affirmed the dismissal, with now-Chief Judge Christopher McFadden writing in dissent that the plaintiffs had sufficiently pleaded facts to survive a motion to dismiss, because their "allegations of future injury show a substantial risk that harm will occur."
The Dec. 23 opinion penned by Justice Nels Peterson agreed. Writing for the court, Peterson said that prior appellate rulings dealing with stolen personal data generally held that plaintiffs had to show the information "had actually fallen into criminal hands" and had been used to harm them in order to show a "legally cognizable injury."
"But this case, which was dismissed on the pleadings despite allegations of large-scale criminal activity, falls into a different category of data-exposure cases," Peterson wrote.
"Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is 'imminent and substantial,'" he said. "This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach."
As detailed in the appellate rulings, the incident began when then clinic learned in June 2016 that someone self-identified as "Dark Overlord" hacked its computer system. The clinic informed its patients about the hack in August of that year.
When the clinic refused to pay the ransom demanded by Dark Overlord, some of the information was offered for sale on the dark web, and some also showed up on Pastebin, a data-storage and sharing website.
Three plaintiffs filed a putative class action in Clarke County Superior Court in January 2017 asserting claims for violation of the Georgia Uniform Deceptive Trade Practices Act, breach of implied contract, unjust enrichment, and negligence.
Their claimed damages included past and future costs for credit monitoring and identity theft protection, credit freezes on their accounts and injunctive relief.
Cobb County Superior Court Senior Judge Grant Brantley issued a one-paragraph ruling dismissing the case the following June.
In upholding Brantley, then-Court of Appeals Judge William Ray II, who's now on the federal bench, wrote that the plaintiffs claimed damages were too speculative to provide standing.
"While credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us because the plaintiffs seek only to recover for an increased risk of harm."
With the concurrence of Judge Brian Rickman, Ray wrote that such "prophylactic measures" were "insufficient to state a cognizable claim under Georgia law."
In his dissent, McFadden wrote that neither Georgia appellate courts nor the U.S. Court of Appeals for the Eleventh Circuit "have decided whether a data breach, with little more, amounts to an injury in fact for purposes of standing."
"But federal courts have uniformly applied a rule that a substantial risk of future harm is sufficient to show an injury in fact for purposes of standing," McFadden said. "And applying that rule here, leads to the conclusion that the plaintiffs have standing."
The Supreme Court opinion said that the plaintiffs claims were more than sufficient to survive a motion to dismiss, as they alleged that "all class members now face the 'imminent and substantial risk' of identity theft given criminals' ability to use the stolen data to assume the class members' identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names."
"Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs' data and has at least attempted to sell at least some of the data to other wrongdoers," Peterson wrote.
The allegations of future injury "show a substantial risk that harm will occur. The allegations thus suffice to establish standing," he said.
The plaintiffs are represented David Bain of Atlanta's Law Offices of David Bain, and Mark Goldman and Douglas Bench of Goldman, Scarlato & Penny in Conshohocken, Pennsylvania. Bain said there would be no comment on the ruling.
Athens Orthopedic Clinic is represented by Chilivis Cochran Larkins & Bever partner J. "Randy" Dalbey, who did not respond to requests for comment Monday.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllUpcoming Changes to Medicare Secondary Payer Reporting: What WC Insurers and Attorneys Need to Know
5 minute readBiden Administration Tells Justices That Bans on Gender Care Are Sex Discrimination
11th Circuit Allows Florida Transgender Health Care Ban to Continue Pending Full Appeal on Constitutionality of Law
Trending Stories
- 1The Key Moves in the Reshuffling German Legal Market as 2025 Dawns
- 2Social Media Celebrities Clash in $100M Lawsuit
- 3Federal Judge Sets 2026 Admiralty Bench Trial in Baltimore Bridge Collapse Litigation
- 4Trump Media Accuses Purchaser Rep of Extortion, Harassment After Merger
- 5Judge Slashes $2M in Punitive Damages in Sober-Living Harassment Case
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250