The Georgia Supreme Court overturned on Monday an appellate court ruling dismissing a suit brought against a medical clinic by patients whose data had been stolen by hackers.
In June 2016 a criminal hacking group known as Dark Overlord stole the private data, including names, addresses, and social security numbers, of 200,000 patients from Athens Orthopedic Clinic, with at least some of that data ending up online. Three of the victims sued the clinic for negligence, breach of implied contract, and unjust enrichment.
The trial court granted the clinic’s motion to dismiss the case, and a divided appeals court affirmed that ruling. In prior cases, Georgia courts have held that simple exposure of private data was not enough to bring a negligence suit, because the future harm flowing from the exposure was too speculative in nature.
However, the Supreme Court found that the facts in this case are different enough to allow for a negligence claim. The plaintiff’s private information was not just exposed, it was actively stolen by a criminal enterprise, substantially raising the likelihood that any given plaintiff will be a victim of identity theft. The court noted that the federal district court case In re Equifax, Inc., Customer Security Breach Litigation, which also involved the criminal theft of personal data, held that the risk of identity theft in such circumstances was enough to support a negligence claim.
The case sets precedent for similar claims of harm, and could have far-reaching implications. In its opinion, the court acknowledged that this is a new type of injury, and that “traditional tort law is a rather blunt instrument for resolving all of the complex tradeoffs at issue in a case such as this.”
The court suggested that it should be up to the legislature to determine how best to handle such cases in the future.