Not all personal injury claims involve physical acts. For example, if someone steals your private data, that can provide the basis for a personal injury lawsuit. Courts throughout the country have struggled, however, to define the precise threshold when a “legally cognizable” injury occurs. Does someone actually need to use the data obtained via hacking or other illicit means before you can bring a claim? Or does the mere fact that theft has occurred allow you to sue the person whom you trusted to keep the data secure in the first place?
Collins v. Athens Orthopedic Clinic, PA
A recent decision from the Supreme Court of Georgia, Collins v. Athens Orthopedic Clinic, PA, attempts to provide some answers to these questions. This case involves a June 2016 data breach in which an unknown attacker “stole the personally identifiable information, including Social Security numbers, addresses, birth dates, and health insurance details, of at least 200,000 current and former patients” of the defendant, an Athens-based healthcare provider. A number of patients whose data was compromised by this breach subsequently filed a lawsuit in Georgia state court, alleging the defendant refused to meet the attacker’s ransom demand, and as a result the hacker put “some of the stolen personal data” up for sale.