ATLANTA (Legal Newsline) – Patients from an orthopedic center who were victims of a security hack plausibly pleaded their claims, the Supreme Court of Georgia determined on Dec. 23.
The plaintiffs are made up of current and previous patients of Athens Orthopedic Clinic PA who sued after the facility told them a hacker accessed their personal data in 2016 via the clinic. The hacker wanted a ransom, but the clinic didn’t pay up, so they sold some of the data on the dark web, while other information was accessible on the data-storage site Pastebin.
“We conclude that the injury the plaintiffs allege that they have suffered is legally cognizable,” Justice Nels S.D. Peterson wrote.
The Court of Appeals previously affirmed the dismissal of the plaintiffs’ negligence claims and the Supreme Court reversed that ruling. It also vacated the remainder of the Court of Appeals’ determinations and remanded the case.
The Supreme Court noted that the main previous rulings that the Court of Appeals depended on when making its determination didn’t apply in this case.
In this particular case, the plaintiffs allege that the hackers now have their information and the subsequent ability to steal their identities. This case also differs because the plaintiffs claim the hackers stole a vast amount of personal data and then demanded a ransom for the data to be return. They also sold some of the data, putting the plaintiffs at risk of identity theft and possibly allowing the hackers to open bank accounts in their names, withdraw funds and even file tax returns.
“We are much further along in the chain of inferences that one must draw in order to conclude that the plaintiff will likely suffer identity theft,” wrote Peterson.
He added that the lower courts shouldn’t have tossed out the complaint for failure to allege a cognizable injury and noted that the current ruling complies with Georgia law and previous cases.
All of the justices agreed with the opinion.