Legal News

Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit

In June 2016, Banner Health suffered a data breach in which the protected health information of 2.9 million individuals was allegedly stolen by hackers. In August 2016, a class action lawsuit was filed by victims of the breach. A settlement has now been reached and Banner Health has agreed to pay $6 million to breach victims to resolve the lawsuit, according to documents filed in the U.S. District Court of Arizona on December 5, 2019.

Plaintiffs alleged that the attack was financially motivated, and hackers gained access to systems containing patient information and exfiltrated the protected health information of approximately 2.9 million. The types of information stolen by the hackers included names, addresses, dates of birth, Social Security numbers, prescription information, medical histories and, for around 30,000 individuals, credit and debit card numbers. Individuals whose credit and debit card numbers were stolen had visited food and beverage outlets at Banner Health hospitals. Malware had been installed which exfiltrated card numbers when purchases were made. The hackers had access to Banner Health systems for approximately 2 weeks.

The lawsuit alleges Banner Health failed to implement appropriate safeguards to protect against cyberattacks, such as multi-factor authentication, firewalls, and data encryption.

The plaintiffs argued that the cyberattack on Banner Health placed them at “a significantly increased risk of suffering devastating and expensive financial and medical identity theft.” Some plaintiffs claimed to have suffered identity theft and fraud as a direct result of the data breach.

Under the terms of the settlement, plaintiffs will be able to submit reimbursement claims for expenses incurred as a result of the data breach. Claims will be accepted up to a maximum of $500 per person for standard expenses, and up to $10,000 for extraordinary expenses. Banner Health has placed an overall cap of $6 million on expenses claims.

Additionally, individuals affected by the breach have been offered an additional 2 years of credit monitoring and identity theft protection services. The plaintiffs have filed a motion for preliminary approval of the settlement.

The post Banner Health Agrees to Pay $6 Million to Settle Data Breach Lawsuit appeared first on HIPAA Journal.

Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach

Kalispell Regional Healthcare in Montana is being sued over a phishing attack in which hackers gained access to employee email accounts containing the protected health information of almost 130,000 patients.

The compromised email accounts contained patient information such as names, contact information, medical bill account numbers, medical histories, and health insurance information. Approximately 250 individuals also had their Social Security number exposed.

The phishing attack occurred in May 2019, but it was not initially clear which, if any, patients had been affected. It took until August for forensic investigators to determine that patient information had potentially been compromised.

All affected patients were notified, and the health system offered 12 months of free credit monitoring and identity theft protection services to patients whose Social Security numbers had potentially been compromised.

One of the patients whose personal and health information was compromised has now taken legal action over the data breach. The lawsuit was filed in Cascade County District Court in Great Falls, MT on November 25 by attorney John Heenan. Heenan is seeking class action status for the lawsuit.

The lawsuit alleges Kalispell Regional Healthcare failed to take the necessary steps to keep patients’ personal and health information private and confidential, it did not abide by best practices and industry standards for securing patient data, and that the health system failed to notify patients about the breach in a timely manner. As a result of the alleged failures, it the lawsuit alleges patients have been placed at risk of identity theft and fraud.

It does not appear that Henderson’s personal and health information has been misused at the time the lawsuit was filed; however, he claims that he is at risk of identity theft and fraud, which could occur at any time now that his information is in the hands of hackers.

Patients cannot sue healthcare providers for damages under HIPAA as there is no private cause of action, but it is possible to take legal action in many states over healthcare data breaches, as is the case in Montana.

The Montana Uniform Health Care Information Act allows victims of healthcare data breaches to sue healthcare providers for violations of the Act. The lawsuit alleges Kalispell Regional Healthcare is in violation of the Act.

After it was learned that patient information had potentially been compromised, the health system issued notifications to affected patients and reported the breach local media outlets.  in the areas

Kalispell Regional Healthcare’s director of information technology, Melanie Swenson, explained that “This wasn’t your everyday, average hacker. They were very sophisticated at disguising their tracks.” She also explained that protecting the privacy of patients is a key priority for the health system and that email security solutions had been implemented prior to the attack to block spam and phishing emails. The security solutions were blocking around 50,000 inbound email threats each day. She also stated that CynergisTec had conducted an audit of the health system in 2018 and found it to be in the top 9% of healthcare industry organizations for cybersecurity compliance.

Since the attack, email security has been improved and the health system has increased training for employees to help them recognize phishing attacks and other email threats.

The post Kalispell Regional Healthcare Sued Over 130,000-Record Data Breach appeared first on HIPAA Journal.

Solara Medical Supplies Sued Over 114,000-Record Data Breach

Solara Medical Supplies is facing legal action over a June 2019 data breach that saw the protected health information of more than 114,000 customers exposed and potentially stolen by an unauthorized individual who gained access to its email system.

Solara Medical Supplies, a supplier of medical devices and disposable medical products, discovered the breach on June 28, 2019. While initially believed to involve one email account, an investigation revealed several Office 365 email accounts had been compromised for a period of around 6 weeks, starting on April 2, 2019.

The types of information exposed as a result of the attack included names, addresses, birth dates, employee ID numbers, Social Security numbers, health insurance information, financial information, credit card/debit card numbers, passport details, state ID numbers, driver’s license numbers, password/PIN or account login information, claims data, billing information, and Medicare/Medicaid IDs.

Customers affected by the breach were notified in November and were offered complimentary credit monitoring and identity theft protection services; however, that was not enough to prevent legal action being taken over the exposure of customers’ sensitive information.

Multiple law firms are now seeking clients who have had their sensitive information exposed as a result of the phishing attack and one lawsuit has already been filed with the U.S District Court of the Southern District of California.

The plaintiff, Juan Maldonado, is a customer of Solara Medical Supplies who uses products supplied by the company to help manage his medical condition. The lawsuit states that the sensitive, personal information of Maldonado is now in the hands of cybercriminals which has placed him at considerable risk of identity theft and fraud and alleges Solara Medical Supplies was negligent for failing to protect the sensitive data of its customers.

While the lawsuit cites HIPAA, there is no private right of action under HIPAA so individuals affected by a data breach do not have the right to sue a HIPAA-covered entity for the exposure of their data or for any HIPAA violations that are believed to have occurred. Legal action can only be taken against covered entities by the HHS’ Office for Civil Rights and state attorneys general. The lawsuit alleges Solara Medical Supplies has violated state laws, including the California Consumer Privacy Act.

The lawsuit alleges Solara Medical Supplies did not have adequate computer systems and security practices in place to safeguard customers’ personal and medical information, did not have systems in place to allow data breaches to be detected promptly, and that the company failed to notify affected customers in a timely manner

It took more than 7 months from the date of the initial email account compromise for affected individuals to be notified, and more than 4 months after the breach was first detected. The lawsuit claims that Solara made no efforts during that time to warn customers about the risks they faced from the exposure of their data. During those four months, the lawsuit states that the attackers had ample opportunity to defraud its customers.

Solara found no evidence to suggest any data was stolen by the attackers and, at the time of issuing notifications, no reports had been received to indicate any customer information had been misused.

The lawsuit seeks class action status and appropriate monetary relief, injunctive relief, actual damages, punitive damages, attorneys’ fees, and payment for extended credit monitoring and identity theft protection services.

The lawsuit raises an important issue about breach notifications to individuals whose protected health information has been exposed or stolen. It is now common for HIPAA-covered entities to wait until they have completed the investigation of a breach before notifications are issued.

The HIPAA Breach Notification Rule states that notifications must be issued without undue delay and no later than 60 days after the discovery of a breach. Despite the HHS’ Office for Civil Rights having previously issued guidance on breach notifications, many covered entities are interpreting the notification requirement as 60 days from the date when they are informed by the forensics company they engaged to investigate the breach that patient information could have been accessed. That date can be several months after the breach was initially discovered.

Even then, notifications are often delayed further, with covered entities waiting up to 60 more days before notifications are sent to affected individuals. By taking this approach, covered entities are risking regulatory fines for unnecessary delaying breach notifications.

The post Solara Medical Supplies Sued Over 114,000-Record Data Breach appeared first on HIPAA Journal.

Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries

Compensation is being sought by former Facebook content moderators who claim to have suffered psychological injuries as a direct result of the exposure to extreme online content at work.

Several employees have started legal action against Facebook, first in California and now in Ireland, where Facebook has its EMEA headquarters.

In September 2019, the Personal Injuries Assessment Board in Ireland gave the go-ahead for former employees to take their case against Facebook to the High Court. The legal action started on December 4, 2019 against Facebook and CPL Resources, one of the third-party companies Facebook uses to provide its content moderators. Former Facebook content moderator Chris Gray is named as lead plaintiff.

Facebook content moderators perform a vital job for the social media platform. The job involves viewing content that had been posted by Facebook users and determining whether the content should remain on the social network or be filtered out or deleted. Without their efforts, the social media platform would be awash with extreme content.

According to Facebook’s Community Standards Enforcement Report, in the first quarter of 2019 its content moderators removed 5.4 million posts that violated its standards on child sexual abuse and exploitation and 33.6 million posts were removed from the platform that depicted violent and graphic content. All of that content must be manually reviewed by an army of content moderators.

Facebook content moderators are often paid little more than minimum wage and working conditions are difficult. Many workers struggle with the job due to the pressure to meet targets and the relentless stream of extremely disturbing content they must moderate. Facebook maintains that its content moderators are provided with access to support services and wellness resources due to the nature of the job. The Facebook content moderators in Ireland are telling a different story and say they are not properly trained to deal with the content they see and they do not have the necessary support, such as access to counselors and mental health services, both on the job and after they leave.

Chris Gray claims his job involved repeated exposure to graphic and often violent content, which in many cases was extremely disturbing. Gray was employed by CPL Resources as a contractor for 10 months between 2017 and 2018 and claims he has suffered psychological injuries at work as a result of the relentless images and videos he was having to view on a daily basis. Gray was later diagnosed as suffering from PTSD.

Gray had to make decisions on extreme content and faced a barrage of highly distressing content every day. He was exposed to a wide range of extreme material, including stonings, stabbings, beatings, beheadings, child abuse videos, animal torture, and extreme sexual content, including bestiality and child porn.

For instance, he had to view people being shot at point blank range with machine guns, saw videos of the massacre of the Rohingya people in Myanmar, and the torture and abuse of migrants from Libya. The extreme content was relentless.

The viewing of such extreme content left Gray numb and desensitized and it started to have a major impact on his life. He found that his personal and political views were changing “in a slow creep,” he experienced extreme emotions from sensitivity to irritability to anger. He found he was becoming more and more aggressive and argumentative outside of work.

There was no release while asleep, as Gray found himself dreaming about some of the things he had seen at work. The situation became so bad that he could not discuss his concerns and struggles with his superiors at work in a reasonable, calm, and professional manner.

On top of the content he had to view, he faced extreme pressure at work to ensure content was correctly categorized. Facebook demanded a 98% accuracy rate. As Gray explained, that equated to just 4 misclassifications a month. The pressure from achieving that level of accuracy and the huge volume of content he was required to assess also affected his mental health and stress levels, often disrupting his sleep. He often found himself waking up frightened that he had made a mistake at work.

A spokesperson for Facebook said, “reviewing certain types of content can sometimes be difficult,” but maintained that all staff had been provided with extensive training and that all content moderators were given full-time support. Measures had also been implemented to limit exposure to graphic, extreme content as far as was possible. However, Gray claims he was not given adequate support or training.

He also claims that there is no screening process for employees to determine whether they are right for the job and if viewing such extreme content is likely to affect their mental well-being. He says there was also a lack of monitoring on the job to identify individuals who are struggling to cope with either the content or stress from the workload and working conditions.

Gray is not an isolated example. Sean Burke, another former Facebook content moderator, told Vice in an interview, “My first day on the job, I witnessed someone being beaten to death with a plank of wood with nails in it and repeatedly stabbed.” At least a dozen former Facebook content moderators are taking legal action against Facebook in Ireland.

This is the first case of its type to go before the European Court, but it is unlikely to be the last given the number of individuals employed to perform the job. Gray’s legal team say he is one of around 15,000 individuals who are employed as Facebook content moderators around the world through third party companies.

Many former Facebook content moderators are now speaking out about the poor working conditions, extreme pressure to reach targets, and the psychological effects of viewing extreme content day in, day out. Some of those employees have had to take antidepressants to help them cope, others speak of alcohol abuse to help them sleep and block out the images that plague them at night, and several have been diagnosed with PTSD.

One of the reasons why so few former employees have spoken out is because they have signed non-disclosure agreements. Violating the terms of the NDA could result in legal action and would make it difficult for them to find other work in the tech industry. Those NDAs are also placing the mental health of employees at risk, as they feel they cannot even talk about their work and problems with to friends and family and end up bearing the burden on their own.

Gray and other plaintiffs are seeking compensation for psychological distress, but they also want Facebook to take action to prevent others from suffering psychological injuries. They want to ensure that working conditions change, exposure to extreme content is limited, better support is provided and, given the nature of the job, greater care is taken selecting the right individuals for the job.

Gray’s legal team is attempting to get Facebook to provide data on the content employees have been exposed to and the volume of extreme content they had to moderate on a daily basis. If that information is disclosed, which is likely in Ireland, Facebook could well be forced to pay out a considerable amount of compensation to its content moderators. Another question that will need to be answered is who at Facebook knew that the job was causing post traumatic stress disorder and what, if anything, was being done to address the injuries in the workplace.

As more people speak out and the case receives wider press coverage, the number of individuals seeking social media content moderator compensation is expected to grow, not just in Ireland but throughout Europe. Gray’s legal team is already liaising with groups of content moderators in Barcelona and Berlin. They have also heard from former Facebook content moderators in Sweden who are interested in seeking compensation for psychological injuries sustained due to their work.

The post Exposure to Extreme Content at Work Sees Former Facebook Employees Sue for Psychological Injuries appeared first on HIPAA Journal.

Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge

Following a November 2016 cyberattack at Quest Diagnostics that resulted in an unauthorized individual accessing and stealing the personal information and medical test results of 34,000 individuals, a class action lawsuit was filed by the breach victims. Quest Diagnostics proposed a $195,000 settlement to resolve the case. The settlement has recently been approved by a U.S district court judge in New Jersey.

The types of information obtained by the hacker included names, phone numbers, dates of birth, and the results of medical tests, including HIV test results.

The lawsuit alleged Quest Diagnostics had violated New Jersey laws and had been negligent for failing to safeguard the sensitive health information of its clients, Quest Diagnostics had breached its contract with clients, and that the company failed to provide timely notifications to patients informing them about the hacking incident and theft of their data.

Quest Diagnostics maintains the claims are meritless, but the decision was taken to settle the lawsuit to avoid ongoing litigation and further legal costs. Under the terms of the settlement, all individuals who can demonstrate they have suffered monetary losses as a direct result of the breach will be entitled to claim $250. The payment is intended to compensate individuals for having to take action to secure their accounts and pay for credit monitoring and identity theft protection services.

Any individual whose HIV test results were included in the stolen data will be entitled to claim $75, in addition in the $250 if they have also suffered monetary losses.

Quest Diagnostics has also been named as a co-defendant in several lawsuits filed by victims of the data breach at American Medical Collection Agency (AMCA) earlier this year. The hacking of the AMCA payment portal enabled the attacker to steal the protected health information of more than 26 million individuals, 11,500,000 of whom had received medical tests at Quest Diagnostics and their PHI had been passed to AMCA for collection.

The post Quest Diagnostics $195,000 Class Action Settlement Approved by Federal Judge appeared first on HIPAA Journal.

California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications

California Governor Gov. Gavin Newsom has signed a new bill that updates data breach notification law in California, expanding the definition of personal information that requires notifications to be sent to state residents affected by a data breach.

Prior to the update, notifications were required if state residents had their Social Security number, driver’s license number, health information, financial information, or username/passwords compromised. The update means that entities that experience a breach that involves passport numbers, tax ID numbers, military ID numbers, other unique government ID numbers, or biometric information will also need to be notified of a data breach.

The law applies to data breaches where personal information has been obtained by an unauthorized person or is reasonably believed to have been obtained by an unauthorized individual.

The bill – AB-1130 – was introduced by California Assemblyman Marc Levine (D) and was co-sponsored by California Attorney General Xavier Bercerra. Governor Newsom signed the bill into law on October 11 and the bill will take effect on January 1, 2020.

Updates Made to California Consumer Privacy Act

Governor Newsom also signed six amendments to the California Consumer Privacy Act (CCPA) into law. CCPA introduced a range of new privacy protections for California residents giving them new rights over the data collected on them by businesses.

CCPA is due to take effect on January 1, 2020, although the new law will not be enforceable until 6 months after the California Attorney General publishes final regulations on CCPA. The first draft of those regulations has now been issued by Attorney General Bercerra.

Public hearing dates have been scheduled between December 2, 2019 and December 6, 2019 and the final set of regulations are due to be released in the spring of 2020. CCPA will become enforceable 6 months after the publication of the implementing regulations or on July 1, 2020, whichever is sooner. However, if the final regulations are published between July 1, 2020 and December 31, 2020, enforcement cannot commence until 6 months after the publication date.

The updates to CCPA that have now been signed into law are:

AB-25 – CCPA no longer includes data collected on job applicants, employees, directors, officers, business owners, medical staff, and contractors for the first year.

AB-874 – Update to “publicly available information” clarifying that the information is lawfully made available from federal, state, or local government records.

AB-1146 – Vehicle information collected under a warranty or recall programs is now exempt from CCPA.

AB-1202 – Data brokers are required to register with the California Attorney General’s office.

AB-1355 – Aggregated consumer data and deidentified data are exempted from the CCPA definition of personal information.

AB-1564 – Businesses are required to provide two methods for consumers to contact them, unless the business only operates online, in which case only an email address needs to be offered.

The post California Amends CCPA and Expands Definition of Personal Information Warranting Data Breach Notifications appeared first on HIPAA Journal.

New Data Breach Notification Requirements in Maryland for Health Insurers

From October 1, 2019, providers of health insurance and associated services are required to notify the Maryland Insurance Administration (MIA) in the event of a breach of insureds’ personal information.

The law change applies to health plans, health insurers, HMOs, managed care organizations, managed general agents and third-party health insurance administrators.

The Compliance & Enforcement Unit at the MIA must be notified if the breach investigation determines there is a risk that insureds’ personal information has been or is likely to be misused.

Personal information is defined as an individuals’ first name or first initial and last name in combination with one or more of the following data elements, if those data elements are not encrypted, redacted, or otherwise unreadable:

Social Security number, Individual Taxpayer Identification Number, passport number, other federal ID number, driver’s license number, State identification card number, health information, biometric data, or health insurance policy/certificate number, health insurance subscriber identification number, or an account number, credit/debit card number, username or e-mail address along with a password/access code or security question and answer that allows the account to be accessed.

Article §4-406 of the Annotated Code of Maryland states that the carrier must provide the notification at the same time that a notification is sent to the Maryland Office of the Attorney General, as required under Subtitle 35 of the Maryland Personal Information Protection Act (§ 14–3504(h)).

Notifications must be sent by mail or email using the breach notification form on the MIA website. Notifications must include the company name, name and contact details of the person supplying the notification, and a brief description of the circumstances of the data breach.

The MIA must also be supplied with a copy of the breach notification letter sent to affected individuals and a copy of the breach notification letter sent to the Maryland Attorney General.

The post New Data Breach Notification Requirements in Maryland for Health Insurers appeared first on HIPAA Journal.

UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit

On June 26, a patient of University of Chicago Medical Center (UCMC) filed a lawsuit against the medical center and Google over an alleged privacy violation related to the sharing of protected health information (PHI) without first properly de-identifying the data.

Patient information was shared with Google to assist with the development of its predictive medical data analytics technology. HIPAA does not prohibit the sharing of information with third parties such as technology companies, provided consent is obtained from patients prior to information being shared.

Alternatively, healthcare organizations can share patient information provided it is de-identified. Under HIPAA, that means removing 18 identifiers to ensure patients cannot be identified. HIPAA calls for one of two methods to be used to de-identify PHI: Expert determination or the safe harbor method. The latter involves stripping PHI of all 18 identifiers, while the former requires an expert to determine, through recognized statistical and scientific principles, that the risk of patients being re-identified is sufficiently low.

The lawsuit alleges UCMC failed to remove all the necessary information from the data prior to it being shared with Google. In addition to the dates and times when patients checked in/out of hospital, the lawsuit alleges “copious free-text notes” were also shared with Google.

The time stamps place each patient at the hospital at a specific time, which places patient privacy at risk. The lawsuit alleges the inclusion of time stamps violates the provisions of the safe harbor de-identification method and that UCMC did not obtain consent from patients to share their data with Google.

The main issue is Google already stores vast quantities of user data from its “prolific data mining” activities and that the tech giant is in a position where it could identify all individuals from the medical records provided by UCMC.

The lawsuit even goes as far as to suggest the collaboration between the medical center and the hospital is an attempt to “pull off what is likely the greatest heist of consumer medical records in history.”

Last week, UCMC and Google filed motions to have the lawsuit dismissed. The defendants claim that a secure process was employed to de-identify patient data and that the process was fully compliant with HIPAA Rules. Further, Google argues that the plaintiff and other class members do not allege Google has used its data to re-identify patients, only that the company has the capability of doing so. Consequently, no injury has been sustained as a result of the sharing of information and even if an injury had been sustained, the case should be dismissed as there is no private right of action under HIPAA.

The defendants also argue that the definition of the intrusion provided by the plaintiffs does not fall under HIPAA as each patient voluntarily provided their medical information to the medical center. Instead, it falls under the Consumer Fraud and Deceptive Business Practices Act.

The post UCMC and Google File Motions to Dismiss HIPAA Privacy Lawsuit appeared first on HIPAA Journal.

Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages

A class action lawsuit filed by victims of a June 2016 cyberattack on Athens Orthopedic in Georgia has gone before the Georgia Supreme Court to determine whether breach victims are entitled to recover damages.

The cyberattack in question saw the personal information, Social Security numbers, and health insurance information of approximately 200,000 individuals stolen by the hacking group, Dark Overlord.

The Dark Overlord has conducted numerous attacks on healthcare organizations in the United States over the past three years. Initially, attacks were conducted to steal sensitive data, which was subsequently sold on dark web marketplaces. More recently, attacks have involved data theft and extortion. A ransom demand is issued to breached entities that must be paid in order to prevent publication of the stolen data.  Athens Orthopedic did not pay the ransom demand.

The Dark Overlord gained access to Athens Orthopedic’s systems via an attack on a “nationally-known health care information management contractor,” the login credentials of which were used to steal patient data.

Athens Orthopedic monitored websites to determine whether patient data had been published and took steps to take down a list containing the PHI of 500 of its patients, which had been posted on PasteBin. The information was eventually removed, but during the time it was accessible online it is possible that multiple individuals copied the data. The Dark Overlord also listed data for sale online, although it is unclear whether anyone bought the dataset.

Athens Orthopedic notified its patients about the breach and advised them to contact one of the three credit reporting agencies to place a fraud alert on their credit file. Even though Social Security numbers were stolen, affected patients were not offered credit monitoring or identity theft restoration services.

A class action lawsuit was filed on behalf of three victims of the breach – Christine Collins, Paulette Moreland, and Kathryn Strickland – shortly after the breach was announced. The plaintiffs seek compensation for the time spent protecting their identifies and reimbursement of legal fees and the cost of past and future credit monitoring services.

The plaintiffs allege negligence, breach of implied contract, unjust enrichment, and violation of the Georgia Uniform Deceptive Trade Practices Act.

While victims of the breach have incurred costs, there is the issue of whether an injury has been suffered. Collins alleges she had fraudulent charges on her credit card shortly after the breach but failed to allege they were the result of the cyberattack and did not demonstrate PHI had been misused as a direct result of the breach.

The case was dismissed by the Trial Court and the Georgia Court of Appeals as the plaintiffs could demonstrate no financial loss or harm as a direct result of the cyberattack. Consequently, they are not entitled to claim damages under Georgia law. The decision was appealed, and it is now down to the Georgia Supreme Court to determine whether there are any compensable  injuries. Oral arguments were heard this week.

“By ruling that the plaintiffs have failed to allege a compensable injury, the message delivered thus far in this case has been that data-breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” argued the plaintiffs’ attorneys.

The plaintiffs allege Athens Orthopedic Clinic as not taken any steps to improve security and that “It continues to store the plaintiffs’ personally identifiable information on computer systems that employ the same lax security measures that permitted the hacker to access and steal the plaintiffs’ information.”

They also maintain their claims should not have been dismissed as “a present injury is not a required element for the plaintiffs’ breach of contract, unjust enrichment, declaratory judgment, or injunctive relief claims under Georgia law.”

The Supreme Court is expected to issue a ruling on the case – Collins Et Al. Vs. Athens Orothpedic Clinic, P.A – within the next six months. Should the Supreme Court overturn the decision of the Court of Appeals, it will have implications for data breach victims not only in the state of Georgia, but throughout the United States.

The post Georgia Court of Appeals to Decide Whether Athens Orthopedic Data Breach Victims Are Entitled to Damages appeared first on HIPAA Journal.