Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Collins v. Athens Orthopedic Clinic, P.A.

Supreme Court of Georgia

December 23, 2019

COLLINS et al.

         Superior Court, Clarke County, G. Grant Brantley, Judge


          David A. Bain ; Goldman Scarlato & Penny, Mark S. Goldman, Douglas J. Bench, for appellants.

          Chilivis, Cochran, Larkins & Bever, John D. Dalbey, for appellee.

          Judges: PETERSON, Justice. All the Justices concur.


Page 311

          Peterson, Justice.

          When a criminal steals consumers' sensitive personal data, what do those consumers have to plead against the allegedly negligent business from whom the data was stolen to show a legally cognizable injury under Georgia tort law? The Court of Appeals has held in cases involving the exposure of personal information that the failure to show that the information had actually fallen into criminal hands, let alone that the information was used to the consumers' detriment,[307 Ga. 556] meant that plaintiffs had failed to show a legally cognizable injury. But this case, which was dismissed on the pleadings despite allegations of large-scale criminal activity, falls into a different category of data-exposure cases. The plaintiffs here, current or former patients of the defendant medical clinic, brought a putative class action after the clinic informed them that a hacker had stolen their personal data from the clinic. We conclude that the injury the plaintiffs allege that they have suffered is legally cognizable. Because the Court of Appeals held otherwise in affirming dismissal of the plaintiffs' negligence claims, we reverse that holding. Because that error may have affected the Court of Appeals's other holdings, we vacate those other holdings and remand the case.

          1. Background.

          The complaint, verified by each of the named plaintiffs, alleges that in June 2016 an anonymous hacker stole the personally identifiable information, including social security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current or former patients of Athens Orthopedic Clinic ("the Clinic") from the Clinic's computer databases. Those current or former patients included named plaintiffs Christine Collins, Paulette Moreland, and Kathryn Strickland. According to the allegations contained in the complaint, the hacker demanded a ransom, but the Clinic refused to pay. The hacker offered at least some of the stolen personal data for sale on the so-called “ dark web,” and some of the information was made available, at least temporarily, on Pastebin, a data-storage website. The Clinic notified the plaintiffs of the breach in August 2016.

          The plaintiffs allege that because their personal data has been “ compromised and made

Page 312

available to others on the dark web, criminals are now able to assume Class Members' identit[ies] and fraudulently obtain credit cards, issue fraudulent checks, file tax refund returns, liquidate bank accounts, and open new accounts, all in Class Members' names.” Each named plaintiff alleges that she has “ spent time calling a credit reporting agency and placing a fraud or credit alert on her credit report to try to contain the impact of the data breach and anticipates having to spend more time and money in the future on similar activities.” Collins also alleges that fraudulent charges to her credit card were made “ [s]hortly” after the data breach and that she spent time getting the charges reversed by the card issuer. And the complaint alleges that “ [e]ven Class Members who have not yet experienced identity theft or are not yet aware of it nevertheless face the imminent and substantial risk of future injury.”

          In their suit against the Clinic, the plaintiffs sought class certification and asserted claims for negligence, breach of implied contract, and unjust enrichment. They sought damages based on[307 Ga. 557] costs related to credit monitoring and identity theft protection, as well as attorneys' fees. They also sought injunctive relief under the Georgia Uniform Deceptive Trade Practices Act, OCGA � 10-1-370 et seq. (“ UDTPA” ), and a declaratory judgment to the effect that the Clinic must take certain actions to ensure the security of class members' personal data in the future. The Clinic filed a motion to dismiss based on both OCGA � 9-11-12 (b) (1) and OCGA � 9-11-12 (b) (6), which the trial court granted summarily.

          A divided panel of the Court of Appeals affirmed. See Collins v. Athens Orthopedic Clinic,347 Ga.App. 13 (815 S.E.2d 639) (2018). The Court of Appeals concluded that the plaintiffs' negligence claim was properly dismissed because the plaintiffs “ seek only to recover for an increased risk of harm.” Id. at 18 (2) (a) . The majority concluded that although the credit monitoring and other precautionary measures alleged by the plaintiffs were “ undoubtedly prudent,” they were “ designed to ward ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.