The Athens Twilight Criterium’s largest sponsor, Athens Orthopedic Clinic, is under further scrutiny in the legal case following a personal data breach of at least 200,000 clinic patients in a 2016 computer hack.
The Supreme Court of Georgia began hearing arguments in reference to the case on Aug. 20, according to a Supreme Court of Georgia press release.
Former AOC patients Christine Collins, Paulette Moreland and Kathryn Strickland are appealing the Georgia Court of Appeals decision, which states “they have suffered no financial loss or harm, they are not entitled to recover damages for potential, future injury,” the release said.
In the June 2016 breach, a hacker known as the “Dark Overlord” stole the Social Security numbers, addresses, birth dates and health insurance details of current and former AOC patients, according to the release. The clinic did not pay ransom to the hacker to unlock its databases, and some of the stolen information was offered for sale on the “dark web.” Some information was also posted on the website Pastebin, where users can copy and paste text to save it for later.
In August of that year, three of the hacking victims sued the clinic in the Athens-Clarke County Superior Court, alleging “negligence, breach of implied contract, unjust enrichment, and violation of the Georgia Uniform Deceptive Trade Practices Act,” the release said.
The plaintiffs asked the ACC Superior court to certify their lawsuit as a class action, which is a civil suit in which one or more members of a group represent the group as a whole. They intended for the court to force the clinic to “ensure the future security of class members’ identity information,” according to the release. The plaintiffs wanted compensation after they paid for credit monitoring and identity theft protection services out of fear caused by the data breach.
The clinic’s attorney filed a motion to ask the court to dismiss the lawsuit, which it did in June 2017.
When the plaintiffs appealed, the Georgia Court of Appeals upheld the trial court’s decision. According to the release, the ruling stated the plaintiffs did not present a disagreement that a court could resolve and did not support their claim with evidence of future harm that was not based on speculation.
“The message delivered thus far in this case has been that data breach victims in Georgia have no legal rights, regardless of how careless the defendant’s data security practices may have been,” the plaintiffs’ attorneys said.
The clinic’s attorney argues possible future loss to the plaintiffs does not provide a proper argument for awarding damages.
Doug Monroe, a former patient of AOC whose information was compromised, said the clinic should have offered to pay for identity theft monitoring when they first notified patients of the breach.
“I thought it amateurish for the clinic not to compensate the victims of the data breach in any way,” Monroe said. “The clinic said that they didn’t have enough money to compensate the victims of the data breach, so I was disappointed in that.”
Monroe said he paid Equifax $18 per month for monitoring services, but the credit-reporting company was also hacked. He said he wouldn’t have used Equifax if not for the data breach.
“[The clinic] was not prepared to compensate its clients for this loss,” Monroe said. “I guess they weren’t prepared to do business in the 21st century.”
The case was set for argument at 10 a.m. on Aug. 20. Most cases are decided within six months of the oral argument, according to the release.
AOC has 13 locations across northeast Georgia and has provided care for patients since 1966. The clinic has main locations in Athens and Loganville.