Collins v. Athens Orthopedic Clinic, 849 S.E.2d 213, A18A0296
(Ga. Ct. App. 2020)
Former and current patients filed a putative class action
against the Athens Orthopedic Clinic for negligence, breach of implied
contract, unjust enrichment, attorney fees, injunctive relief under Georgia’s
Uniform Deceptive Trade Practices Act (UDTPA), and declaratory judgment
stemming from a data breach of their personal information. An anonymous hacker
stole the personally identifiable information, including social security
numbers, birthdates, addresses, and health insurance information, of
approximately 200,000 current and former Clinic patients. The hacker demanded
ransom, but the Clinic refused to pay, and the hacker sold the information on
the “dark web.”
The trial court dismissed all claims, but the Georgia
Supreme Court ultimately held that the allegations in the complaint
sufficiently stated a claim for negligence that was not merely speculative and
remanded to reconsider the remaining claims in light of that ruling. On remand,
the court of appeals affirmed the dismissal of the unjust enrichment, declaratory
relief, and UDTPA claims.
The Georgia UDTPA allows only prospective relief, but not
redress for past harm. Thus, standing requires likely future damage by an
unfair trade practice. Here, “an
injunction would serve no purpose at this point because, as alleged, their
personal information was already sold and is available on the dark web. As
such, the plaintiffs have failed to allege a future harm caused by the unfair
practice, as required by the UDTPA, and the trial court properly dismissed this
claim.”
The Chief Judge would have reached the same result on the UDTPA but for a different reason: there was no alleged deceptive trade practice. Athens Orthopedic allegedly violated the Act by failing to inform the plaintiffs that it did not have adequate computer systems and data security practices, but there was no allegation that it knew of the inadequacy, so there was no false advertising.
Posts
No comments:
Post a Comment