Georgia Supreme Court Overturns Court of Appeals Ruling on Athens Orthopedic Clinic Data Breach Case

The Georgia Supreme Court revived a lawsuit filed against Athens Orthopedic Clinic regarding a cyberattack by TheDarkOverlord in June 2016.

The cyberattack involved patient data theft from Athens Orthopedic clinic. The hacking group issued a ransom demand and said that they would restore the data after paying the ransom. The clinic declined to pay off the ransom and the hacking group replied by saying that it sold some of the stolen information. Later on, the hacking group posted certain stolen information on Pastebin, where other people could download it.

According to three victims of the data breach, namely, Paulette Moreland, Christine Collins, and Kathryn Strickland, they faced risks of identity theft and fraud from the time the cybercriminals got hold of their personal data, posted them for sale on the darknet, and some people downloaded them.

Christine Collins, one of the plaintiffs, claimed her credit card had fraudulent charges soon after the cyberattack. Those charges were reversed but she needed to spend time working on it. She also put her credit card on fraud alerts to avoid further problems.

The plaintiffs want damages covering the fees they had to pay for credit monitoring and identity theft protection services as the clinic did not offer such services plus attorneys fees, and they also want injunctive relief according to the Georgia Uniform Deceptive Trade Practices Act.

The lower court granted standing to the lawsuit, however, Athens Orthopedic clinic submitted a motion to dismiss that the Court of Appeals granted. The Court of Appeals decided that the alleged negligence was invalid, seeing that the plaintiffs were trying to get damages for a heightened risk of harm. Under the Georgia tort law, this was regarded as speculative harm and wouldn’t be tantamount to a cognizable injury.

Now, that decision was overturned by the Supreme Court stating that the plaintiffs had claimed adequate harm so that the case survived the motion to dismiss.

The Supreme Court in its ruling stated that the plaintiffs claim the cybercriminals could steal their identities for fraudulent acts and there is an “imminent and substantial” risk of identity theft. This equates to a legitimate allegation with regard to the possibility of identity theft of any class member because of the data breach. Since this lawsuit is presented with a motion to dismiss, we should acknowledge this factual allegation as true.

The Supreme Court determined that the Court Of Appeals’ ruling was based on two cases that were not the same as the cyberattack on Athens Orthopedic Clinic. In the two cases, there was no proof that indicates the cybercriminals stole information, consequently, there’s no imminent and substantial risk of identity theft and fraud.

In the incident of Athens Orthopedic Clinic’s cyberattack, a cybercriminal stole the plaintiffs’ information and threatened to peddle the information, tried to do so, and other people downloaded the information. At this point, we should presume that the plaintiffs’ data was maliciously accessed by a criminal actor and there was an attempt to sell some of the information to other wrongdoers. Therefore, the “imminent and substantial risk” of identity theft and fraud is real. The Supreme Court decided that the plaintiffs’ negligence claims are adequate to survive the motion to dismiss.