Collins et al. v. Athens Orthopedic Clinic, P.A.Annotate this Case
Plaintiffs alleged in 2016, an anonymous hacker stole the personally identifiable information, including Social Security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current and former patients of Athens Orthopedic Clinic (“the Clinic”) from the Clinic’s computer databases. The hacker demanded a ransom, but the Clinic refused to pay. The hacker offered at least some of the stolen personal data for sale on the so-called “dark web,” and some of the information was made available, at least temporarily, on Pastebin, a data-storage website. The Clinic notified plaintiffs of the breach in August 2016. Each named plaintiff alleges that she has “spent time calling a credit reporting agency and placing a fraud or credit alert on her credit report to try to contain the impact of the data breach and anticipates having to spend more time and money in the future on similar activities.” Plaintiffs sought class certification and asserted claims for negligence, breach of implied contract, and unjust enrichment, seeking damages based on costs related to credit monitoring and identity theft protection, as well as attorneys’ fees. They also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act (“UDTPA”), and a declaratory judgment to the effect that the Clinic must take certain actions to ensure the security of class members’ personal data in the future. The Clinic filed a motion to dismiss based on both OCGA 9-11-12 (b) (1) and OCGA 9-11-12 (b)(6), which the trial court granted summarily. The Georgia Supreme Court concluded the injury plaintiffs alleged they suffered was legally cognizable. Because the Court of Appeals held otherwise in affirming dismissal of plaintiffs’ negligence claims, the Supreme Court reversed that holding. Because that error may have affected the Court of Appeals’s other holdings, the Court vacated those other holdings and remanded the case.