DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Commentary: What Constitutes Negligence in Company Data Breaches?

Posted on September 18, 2018 by Dissent

Amy L. Hanna Keeney of Adams and Reese writes about an opinion in a court case that stemmed from one of TheDarkOverlord’s hacks: their attack on Athens Orthopedic Clinic (AOC). I had covered that breach extensively, including commenting on the fact that AOC did not offer any free services to patients whose data had not only been stolen, but had either been publicly dumped on Pastebin and/or reportedly put up for sale on dark net markets.

As Keeney explains in her article, only one of three named plaintiffs in Collins, et al. v. Athens Orthopedic Clinic actually alleged that they had actually experienced fraudulent charges on any of their accounts, and the complaint didn’t actually claim that the fraud had a causal connection to the hack. Basically, the plaintiffs were alleging that they incurred the cost of identity theft protection, credit monitoring, and credit freezes.

Together, the plaintiffs filed a putative class action alleging (1) violation of the Georgia Uniform Deceptive Trade Practices Act by AOC; (2) breach of an implied contract with AOC; (3) unjust enrichment of AOC; and (4) negligence by AOC.

AOC responded to plaintiffs’ complaint by filing a motion to dismiss pursuant to both O.C.G.A. §§ 9-11-12(b)(1) and 12(b)(6).

Disappointingly to privacy advocates, the court held that just an increased risk of harm was not sufficient to grant the plaintiffs standing.

The court explained, “[w]hile credit monitoring and other precautionary measures are undoubtedly prudent, we find that they are not recoverable damages on the facts before us, because the plaintiffs seek only to recover for an increased risk of harm.”

The trial court’s dismissal of plaintiffs’ complaint was affirmed.

That conclusion seems straightforward, right? Not quite. There are two aspects of the Collins opinion that either diminish its usefulness or give you hope, depending on which side of this battle you favor.

Read more on Daily Report.

From my perspective, the decision is an unfortunate one that once again fails to appreciate the harm and costs patients and consumers incur from a breach.

Related posts:

  • Athens Orthopedic Clinic incident response leaves patients in the dark and out of pocket for protection
  • Athens Orthopedic Clinic Pays $1.5 Million to Settle HHS Charges of Systemic Noncompliance with HIPAA Rules
  • Extortion demand on Athens Orthopedic Clinic escalates as patient data is dumped
  • Quest Records LLC breach linked to TheDarkOverlord hacks; more entities investigate if they’ve been hacked
Category: Breach IncidentsCommentaries and AnalysesHackHealth Data

Post navigation

← DealerBuilt Settles with New Jersey AG Over Data Breach
The Mirai Botnet Architects Are Now Fighting Crime With the FBI →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan
  • A year after cyber attack, Columbus could invest $23M in cybersecurity upgrades
  • Gravity Forms Breach Hits 1M WordPress Sites
  • Stormous claims to have protected health info on 600,000 patients of North Country Healthcare. The patient data appears fake. (2)
  • Back from the Brink: District Court Clears Air Regarding Individualized Damages Assessment in Data Breach Cases

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care
  • Here’s What a Reproductive Police State Looks Like
  • Meta investors, Zuckerberg to square off at $8 billion trial over alleged privacy violations
  • Australian law is now clearer about clinicians’ discretion to tell our patients’ relatives about their genetic risk
  • The ICO’s AI and biometrics strategy
  • Trump Border Czar Boasts ICE Can ‘Briefly Detain’ People Based On ‘Physical Appearance’

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.