◆ A ruling from Georgia’s highest state court could set a precedent that determines recourse for victims of cyberattacks.The Georgia Supreme Court ruled in late December that the victims of a hack involving Athens Orthopedic Clinic can sue the clinic. The unanimous ruling reverses the Georgia Court of Appeals decision to throw the case out. The Georgia high court justices found that even the threat of future harm to a data breach victim is enough to warrant compensation under the law. This could set statewide precedent in these types of crimes. The hack involved a cybercriminal group calling itself the “Dark Overlord,” and led to the breach of protected health information (PHI) for an estimated 200,000 patients. Athens Orthopedic Clinic refused to pay the hackers’ ransom, and advised current and former patients to set up anti-fraud protections. Three patients sued, demanding that the clinic pay damages. The case now returns to the lower court in Athens-Clarke County for further proceedings.
◆ In another lawsuit involving a data breach, a Poughkeepsie, New York, woman has filed a class action suit in the U.S. District Court over a July 2018 phishing attack that exposed the personal and medical information of more than 28,000 customers of Health Quest, a hospital and provider group. The lawsuit assailed the defendants “for their failure to exercise reasonable care in securing and safeguarding their patients’ sensitive personal data,” including names, dates of birth, Social Security numbers, driver’s license numbers and financial account information. “Defendants’ security failures enabled the hackers to steal the private information of plaintiff and members of the class…. These failures put plaintiff’s and class members’ private information and interests at serious, immediate, and ongoing risk and, additionally, caused costs and expenses,” the lawsuit claims. Health Quest became part of Nuvance Health in a 2019 merger, and Nuvance also is named in the lawsuit.