[BreachExchange] Georgia Revives Patient Breach Lawsuit Against Athens Orthopedic

[Destry Winant]

https://healthitsecurity.com/news/georgia-revives-patient-breach-lawsuit-against-athens-orthopedic

The Supreme Court of Georgia has revived a patient data breach lawsuit
against Athens Orthopedic Clinic, by unanimously reversing a Court of
Appeals decision to dismiss the case.

In July 2016, Athens Orthopedic reported its EHR experienced a
cyberattack by a hacker using stolen credentials from a third-party
vendor, which potentially breached a trove of health information and
other sensitive data from both current and former patients.

Reportedly, in June of 2016 a hacking group known as thedarkoverlord
(TDO) stole the personally identifiable information of those patients,
including Social Security numbers. At the time, Athens Orthopedic
notified patients that it did not have insurance to cover the
cyberattack, impacting its ability to provide credit monitoring and
identity theft restoration services.

During that same time period, TDO allegedly hacked and stole the
information of about 655,000 individuals from multiple US healthcare
organizations, including 397,000 from an unnamed organization in
Georgia.

The sensitive information was then posted online and on the dark web
for sale, after attempts to extort the organizations failed. As a
result, those individuals faced a higher risk of identity fraud.

In response, patients impacted by breach filed a lawsuit against
Athens Orthopedic. The Court of Appeals initially dismissed the case
as the plaintiffs sought “only to recover for an increased risk of
harm.” The court also concluded that credit monitoring and other
precautionary measures were designed to ward off “future speculative
harm.”

According to the decision to revive the lawsuit, the judges concluded
that given the stolen data, the “injury the plaintiffs allege that
they have suffered is legally cognizable.”

“Because the Court of Appeals held otherwise in affirming dismissal of
the plaintiffs’ negligence claims, we reverse that holding,” the
judges wrote. “Because that error may have affected the Court of
Appeals’s other holdings, we vacate those other holdings and remand
the case.”

The lawsuit claims that patients have already faced fraudulent
attempts to obtain credit cards, tax returns or checks, identity
theft, and attempts to open new accounts in the breach victims’ names.
Some patients have already spent time reversing fraudulent charges
made with their credit cards.

“Here, the plaintiffs allege that criminals are now able to assume
their identities fraudulently and that the risk of such identity theft
is ‘imminent and substantial,’” according to the decision. “This
amounts to a factual allegation about the likelihood that any given
class member will have her identity stolen as a result of the data
breach.”

The patients are asking the court for class certification, arguing
Athens Orthopedic was negligent, breached implied contract, and
“unjust enrichment.” Further, the victims are seeking damages for
costs associated with credit monitoring and identity theft protection,
in addition to attorneys’ fees.

The lawsuit also requests a declaratory judgement that the clinic must
take measures to better secure patient data.

Currently, the Office for Civil Rights has not posted a closing
summary for its investigation into the Athens Orthopedic data breach.
One known member of TDO, Nathan Wyatt, was recently extradited from
the UK to stand trial in St. Louis for his role in the group’s hacking
efforts. Wyatt is accused of “aggravated identity theft, threatening
to damage a protected computer, and conspiring to commit those and
other computer fraud offenses.”