Collins v. Athens Orthopedic Clinic
Decision Date | 27 June 2018 |
Docket Number | A18A0296 |
Citation | 815 S.E.2d 639,347 Ga.App. 13 |
Court | Georgia Court of Appeals |
Parties | COLLINS et al. v. ATHENS ORTHOPEDIC CLINIC. |
David Andrew Bain, for Appellants.
Chivilis Cochran Larkins & Bever, John Durand Dalbey, Atlanta, for Appellee.
After an anonymous hacker known as the "Dark Overlord" stole the personally identifiable information ("PII") of approximately 200,000 current and former Athens Orthopedic Clinic ("AOC") patients, Christine Collins, Paulette Moreland, and Kathryn Strickland (collectively, the "Plaintiffs") filed a putative class action. The trial court granted AOC's motion to dismiss, and Plaintiffs appealed, arguing that the trial court erred by implicitly finding that they failed to state a claim and lacked standing under Article III of the United States Constitution; and by relying on facts outside the four corners of the complaint. We affirm.
We review the grant of a motion to dismiss de novo, construing the factual allegations of the complaint in the light most favorable to the plaintiff. Radio Perry v. Cox Communications, Inc. , 323 Ga. App. 604, 605 (1), 746 S.E.2d 670 (2013). The complaint should be dismissed only if its allegations demonstrate with certainty that the claimants "would not be entitled to relief under any state of provable facts asserted in support thereof; and ... the movant establishes that the claimant could not possibly introduce evidence within the framework of the complaint sufficient to warrant a grant of the relief sought." (Citation and punctuation omitted.) Id.
Plaintiffs allege that the hack took place and was discovered by AOC in June 2016, and that AOC notified them of the breach in August 2016. The Dark Overlord apparently gained access to the PII database by using a third-party vendor's log-in credentials, and when AOC refused to pay a ransom for the information, the Dark Overlord offered some of it for sale on the "Dark Web,"1 and made some of it at least temporarily available on Pastebin, a data-storage website designed to facilitate the sharing of large amounts of data online.
Plaintiffs allege that the data breach exposes them to the threat of identity theft and other harm. All three Plaintiffs were notified that their information had been compromised and spent time placing fraud or credit alerts on their credit reports. Only Collins had fraudulent charges made on her credit card and spent time getting them reversed.2
On January 20, 2017, Plaintiffs filed a putative class action alleging violation of the Georgia Uniform Deceptive Trade Practices Act ( OCGA § 10-1-370 et seq. ), breach of implied contract, unjust enrichment, and negligence. Plaintiffs also seek a declaratory judgment and attorney fees. They seek reimbursement for costs incurred and future costs to be incurred for the purchase of credit monitoring and identity theft protection, or the placing of credit freezes on their accounts, as well as injunctive relief.
On June 26, 2017, the trial court granted AOC's motion to dismiss. The order states, in its entirety:
Before the Court is Defendant [AOC's] motion to dismiss pursuant to OCGA § 9-11-12, which Motion having come on for a hearing on June 14, 2017. Having considered the oral arguments of counsel, the briefs of Plaintiffs and Defendant and all pleadings, but having considered no matters outside the pleadings, it is hereby ORDERED that the Motion to Dismiss is GRANTED.
1. Plaintiffs argue that the trial court erred in considering matters outside the complaint. They point, inter alia, to questions the trial court asked during the hearing on the motion to dismiss. Where matters outside the pleadings are presented, (Citation omitted.) Thompson v. Avion Systems, Inc ., 284 Ga. 15, 16-17, 663 S.E.2d 236 (2008). Here, the trial court's order expressly stated that it "considered no matters outside the pleadings[.]" We find no error.
2. Plaintiffs argue, generally, that the trial court erred in dismissing their complaint by implicitly finding that they failed to state a claim and lacked standing under Article III.
(a) Negligence claim . To state a cause of action for negligence in Georgia, the Plaintiffs must show:
While we never have addressed directly whether prophylactic costs anticipated or incurred to protect oneself against the threat of identity theft following a data breach constitute "loss or damage" pursuant to Whitehead , supra, some Georgia cases offer guidance.
In Finnerty v. State Bank and Trust Co. , 301 Ga. App. 569, 687 S.E.2d 842 (2009), disapproved on other grounds by Cumberland Contractors, Inc. v. State Bank and Trust Co. , 327 Ga. App. 121, 125 (2), n. 4, 755 S.E.2d 511 (2014), Finnerty, a signatory on a promissory note, counterclaimed against a bank suing him for default. He alleged invasion of privacy and negligence because the bank disclosed his Social Security number in the complaint. Id. at 569, 687 S.E.2d 842. Finnerty argued that he "suffered ‘an increased risk of identity theft’ " and that " ‘non-authorized third parties have access to the otherwise confidential personal information[.]’ " Id. at 572 (4), 687 S.E.2d 842. We affirmed the trial court's grant of summary judgment to the bank, finding that "[a] fear of future damages is too speculative to form the basis for recovery." Id. This Court found that Finnerty "failed to demonstrate that the [b]ank's purported unlawful disclosure made it ‘probable’ that he would suffer any identity theft or that any specific persons actually have accessed his confidential personal information[.]" Id.
The instant case differs in that Plaintiffs alleged that the "Dark Overlord" had accessed their PII, offered to sell it on the Dark Web, and placed it, at least temporarily, on Pastebin. However, as OCGA § 51-12-8 provides, "[i]f the damage incurred by the plaintiff is only the ... possible result of a tortious act ... such damage is too remote to be the basis of recovery against the wrongdoer." See generally Rite Aid of Ga. v. Peacock , 315 Ga. App. 573, 576 (1) (a) (i), 726 S.E.2d 577 (2012) ( )" (punctuation omitted; emphasis in original).
While Finnerty and Rite Aid are factually and procedurally distinct from the present case in that they did not involve motions to dismiss and did not feature theft of PII, they nonetheless suggest that the fact of compromised data is not a compensable injury by itself in the absence of some "loss or damage flowing to the plaintiff's legally protected interest as a result of the alleged breach of the legal duty[.]" (Citation and punctuation omitted.) Whitehead , supra at 352 (2), 364 S.E.2d 87 .
To continue reading
Request your trial-
Collins v. Clinic
...a data breach of their personal information. The trial court dismissed all claims, and we affirmed. Collins v. Athens Orthopedic Clinic , 347 Ga. App. 13, 14-22 (2), 815 S.E.2d 639 (2018). Our Supreme Court granted certiorari and reversed, holding that the allegations in the complaint suffi......
-
In re Equifax, Inc.
...already been misused. The Plaintiffs have adequately alleged facts showing actual cognizable injury.The Defendants also cite Collins v. Athens Orthopedic Clinic in their reply brief.91 There, the defendant's patients sued after a cyberhacker stole their personal information from the defenda......
-
In re Equifax, Inc.
...act or omission to act in some duty owed to him."133 The Defendants rely upon a recent Georgia Court of Appeals case, Collins v. Athens Orthopedic Clinic. There, the defendant's patients sued after a cyberhacker stole their personal information from the defendant's systems.134 The court con......
-
Danielkiewicz v. Whirlpool Corp.
...language of the act, "the sole statutory remedy for deceptive trade practices is injunctive relief"); Collins v. Athens Orthopedic Clinic , 347 Ga.App. 13, 815 S.E.2d 639, 648 (2018). In their amended, consolidated complaint, Plaintiffs seek "all available remedies under law, including, but......
-
American Law Institute Proposes Controversial Medical Monitoring Rule in Final Part of Torts Restatement.
...claim where "there was no evidence that the appellants had sustained any specific injury"); see also Collins v. Athens Orthopedic Clinic, 815 S.E.2d 639, 645 (Ga. Ct. App. 2018) ("We find that, as in the context of medical monitoring in toxic tort cases, prophylactic measures such as credit......