– The Supreme Court of Georgia has revived a patient data breach lawsuit against Athens Orthopedic Clinic, by unanimously reversing a Court of Appeals decision to dismiss the case.
In July 2016, Athens Orthopedic reported its EHR experienced a cyberattack by a hacker using stolen credentials from a third-party vendor, which potentially breached a trove of health information and other sensitive data from both current and former patients.
Reportedly, in June of 2016 a hacking group known as thedarkoverlord (TDO) stole the personally identifiable information of those patients, including Social Security numbers. At the time, Athens Orthopedic notified patients that it did not have insurance to cover the cyberattack, impacting its ability to provide credit monitoring and identity theft restoration services.
During that same time period, TDO allegedly hacked and stole the information of about 655,000 individuals from multiple US healthcare organizations, including 397,000 from an unnamed organization in Georgia.
The sensitive information was then posted online and on the dark web for sale, after attempts to extort the organizations failed. As a result, those individuals faced a higher risk of identity fraud.
In response, patients impacted by breach filed a lawsuit against Athens Orthopedic. The Court of Appeals initially dismissed the case as the plaintiffs sought “only to recover for an increased risk of harm.” The court also concluded that credit monitoring and other precautionary measures were designed to ward off “future speculative harm.”
According to the decision to revive the lawsuit, the judges concluded that given the stolen data, the “injury the plaintiffs allege that they have suffered is legally cognizable.”
“Because the Court of Appeals held otherwise in affirming dismissal of the plaintiffs’ negligence claims, we reverse that holding,” the judges wrote. “Because that error may have affected the Court of Appeals’s other holdings, we vacate those other holdings and remand the case.”
The lawsuit claims that patients have already faced fraudulent attempts to obtain credit cards, tax returns or checks, identity theft, and attempts to open new accounts in the breach victims’ names. Some patients have already spent time reversing fraudulent charges made with their credit cards.
“Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is ‘imminent and substantial,’” according to the decision. “This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach.”
The patients are asking the court for class certification, arguing Athens Orthopedic was negligent, breached implied contract, and “unjust enrichment.” Further, the victims are seeking damages for costs associated with credit monitoring and identity theft protection, in addition to attorneys’ fees.
The lawsuit also requests a declaratory judgement that the clinic must take measures to better secure patient data.
Currently, the Office for Civil Rights has not posted a closing summary for its investigation into the Athens Orthopedic data breach. One known member of TDO, Nathan Wyatt, was recently extradited from the UK to stand trial in St. Louis for his role in the group’s hacking efforts. Wyatt is accused of “aggravated identity theft, threatening to damage a protected computer, and conspiring to commit those and other computer fraud offenses.”