In its decision filed on December 23, 2019, the Supreme Court of Georgia (“Georgia Supreme Court”) held: “The plaintiffs here, current or former patients of the defendant medical clinic, brought a putative class action after the clinic informed them that a hacker had stolen their personal data from the clinic. We conclude that the injury the plaintiffs allege that they have suffered is legally cognizable.”
In June 2016, an anonymous hacker stole the personally identifiable information, including Social Security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current and former patients of Athens Orthopedic Clinic (“the Clinic”) from the Clinic’s computer databases. The hacker demanded a ransom, but the Clinic refused to pay. The hacker offered at least some of the stolen personal data for sale on the so-called “dark web,” and some of the information was made available, at least temporarily, on Pastebin, a data-storage website. The Clinic notified the plaintiffs of the breach in August 2016.
The plaintiffs allege that because their personal data has been compromised and made available to others on the dark web, criminals are now able to assume Class Members’ identit[ies] and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts, all in Class Members’ names. Each named plaintiff alleges that she has spent time calling a credit reporting agency and placing a fraud or credit alert on her credit report to try to contain the impact of the data breach and anticipates having to spend more time and money in the future on similar activities.
The plaintiffs further allege that even Class Members who have not yet experienced identity theft or are not yet aware of it nevertheless face the imminent and substantial risk of future injury.
The trial court granted the defendant’s motion to dismiss, and the Georgia Court of Appeals affirmed, concluding that the plaintiffs had failed to allege a legally cognizable injury (“the fact of compromised data is not a compensable injury by itself in the absence of some loss or damage flowing to the plaintiff’s legally protected interest as a result of the alleged breach of a legal duty”).
Georgia Supreme Court Decision
The Georgia Supreme Court stated, “This case comes before us as an appeal from the grant of a motion to dismiss for failure to state a claim under OCGA § 9-11-12 (b) (6). Such a motion is properly granted when the plaintiff “would not be entitled to relief under any state of provable facts asserted in support” of the allegations in the complaint and “could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought” … Here, the plaintiffs allege that criminals are now able to assume their identities fraudulently and that the risk of such identity theft is “imminent and substantial.” This amounts to a factual allegation about the likelihood that any given class member will have her identity stolen as a result of the data breach. As this case comes before us on a motion to dismiss, we must accept this factual allegation as true.”
“Here, the plaintiffs alleged that (1) a thief stole a large amount of personal data by hacking into a business’s computer databases and demanded a ransom for the data’s return, (2) the thief offered at least some of the data for sale, and (3) all class members now face the “imminent and substantial risk” of identity theft given criminals’ ability to use the stolen data to assume the class members’ identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names. Assuming the truth of these allegations, as we must at this stage, we must presume that a criminal actor has maliciously accessed the plaintiffs’ data and has at least attempted to sell at least some of the data to other wrongdoers. Moreover, an important part of the value of that data to anyone who would buy it in that fashion is its utility in committing identity theft … Thus, we are much further along in the chain of inferences that one must draw in order to conclude that the plaintiffs here likely will suffer identity theft.”
The Georgia Supreme Court concluded: “Construing the plaintiffs’ allegations — particularly that criminals are able to assume their identities fraudulently as a result of the data breach and that the risk of such identity theft is “imminent and substantial” — in the light most favorable to the plaintiffs, we cannot say that the plaintiffs will not be able to introduce sufficient evidence of injury within the framework of the complaint. The plaintiffs allege that their personal data has been stolen on a mass scale by a criminal, who in turn has offered it for sale to other criminals. They also allege that, as a result, criminals are able to assume their identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names. These allegations raise more than a mere specter of harm … These allegations are sufficient to survive a motion to dismiss the plaintiffs’ negligence claims.”
“Our conclusion that dismissal of the negligence claims for lack of injury is not warranted at this stage does not depend on the plaintiffs’ allegations that the breach has caused them to spend money attempting to mitigate the consequences of the breach by avoiding actual identity theft. Although this may represent all or some measure of the plaintiffs’ damages to date, their allegation that the criminal theft of their personal data has left them at an imminent and substantial risk of identity theft is sufficient at this stage of the litigation.”
Source Collins v. Athens Orthopedic Clinic, P.A., S19G0007.
If you or a loved one may have been injured as a result of medical malpractice in Georgia or elsewhere in the United States, you should find a local medical malpractice attorney in your state who may investigate your medical malpractice claim for you and represent you or your loved one in a medical malpractice case, if appropriate.
Click here to visit our website or call us toll-free in the United States at 800-295-3959 to find medical malpractice lawyers in your state who may assist you.
Turn to us when you don’t know where to turn.