– The Supreme Courtroom of Georgia has revived a affected person information breach lawsuit towards Athens Orthopedic Clinic, by unanimously reversing a Courtroom of Appeals determination to dismiss the case.
In July 2016, Athens Orthopedic reported its EHR skilled a cyberattack by a hacker utilizing stolen credentials from a third-party vendor, which doubtlessly breached a trove of well being info and different delicate information from each present and former sufferers.
Reportedly, in June of 2016 a hacking group referred to as thedarkoverlord (TDO) stole the personally identifiable info of these sufferers, together with Social Safety numbers. On the time, Athens Orthopedic notified sufferers that it didn’t have insurance coverage to cowl the cyberattack, impacting its capability to offer credit score monitoring and identification theft restoration companies.
Throughout that very same time interval, TDO allegedly hacked and stole the data of about 655,000 people from a number of US healthcare organizations, together with 397,000 from an unnamed group in Georgia.
The delicate info was then posted on-line and on the darkish net on the market, after makes an attempt to extort the organizations failed. In consequence, these people confronted a better danger of identification fraud.
In response, sufferers impacted by breach filed a lawsuit towards Athens Orthopedic. The Courtroom of Appeals initially dismissed the case because the plaintiffs sought “solely to get well for an elevated danger of hurt.” The courtroom additionally concluded that credit score monitoring and different precautionary measures had been designed to push back “future speculative hurt.”
In line with the choice to revive the lawsuit, the judges concluded that given the stolen information, the “harm the plaintiffs allege that they’ve suffered is legally cognizable.”
“As a result of the Courtroom of Appeals held in any other case in affirming dismissal of the plaintiffs’ negligence claims, we reverse that holding,” the judges wrote. “As a result of that error might have affected the Courtroom of Appeals’s different holdings, we vacate these different holdings and remand the case.”
The lawsuit claims that sufferers have already confronted fraudulent makes an attempt to acquire bank cards, tax returns or checks, identification theft, and makes an attempt to open new accounts within the breach victims’ names. Some sufferers have already frolicked reversing fraudulent expenses made with their bank cards.
“Right here, the plaintiffs allege that criminals are actually capable of assume their identities fraudulently and that the danger of such identification theft is ‘imminent and substantial,’” in line with the choice. “This quantities to a factual allegation concerning the chance that any given class member may have her identification stolen because of the information breach.”
The sufferers are asking the courtroom for sophistication certification, arguing Athens Orthopedic was negligent, breached implied contract, and “unjust enrichment.” Additional, the victims are looking for damages for prices related to credit score monitoring and identification theft safety, along with attorneys’ charges.
The lawsuit additionally requests a declaratory judgement that the clinic should take measures to higher safe affected person information.
At present, the Workplace for Civil Rights has not posted a closing abstract for its investigation into the Athens Orthopedic information breach. One recognized member of TDO, Nathan Wyatt, was recently extradited from the UK to face trial in St. Louis for his function within the group’s hacking efforts. Wyatt is accused of “aggravated identification theft, threatening to break a protected laptop, and conspiring to commit these and different laptop fraud offenses.”