In 2016, plaintiffs alleged an anonymous hacker stole personally identifiable information of at least 200,000 patients from an orthopedic clinic. The hacker demanded a ransom, which the clinic refused to pay. The clinic notified the plaintiffs of the breach in August 2016. Plaintiffs filed a class-action lawsuit against the clinic and asserted claims for negligence, breach of implied contract, and unjust enrichment. They sought damages based on costs related to credit monitoring and identity–theft protection, as well as attorney fees. The clinic filed a motion to dismiss, which the trial court granted on June 26, 2017. The Court of Appeals upheld this decision on June 27, 2018. On December 23, 2019, the Supreme Court of Georgia overturned the opinion of the Court of Appeals. It concluded that the trial court erred in dismissing the plaintiffs’ negligence claims due to failure to plead a legally cognizable injury. Because the error may have affected the Court of Appeals’ other holdings, the Court vacated those as well and remanded the case.
The Supreme Court cited the relevant allegations in the plaintiffs’ complaint:
Here, the plaintiffs alleged that (1) a thief stole a large amount of personal data by hacking into a business’s computer databases and demanded a ransom for the data’s return, (2) the thief offered at least some of the data for sale, and (3) all class members now face the “imminent and substantial risk” of identity theft given criminals’ ability to use the stolen data to assume the class members’ identities and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts in their names.
Based on these allegations, the Supreme Court concluded that the trial court should not have dismissed the plaintiffs’ case on the clinic’s motion to dismiss.
Collins v. Athens Orthopedic Clinic, P.A., — Ga. –, 2019 WL 7046786 (Dec. 23, 2019).