Ga. high court’s ruling on 200K-victim cyber attack could set precedent

Some patient records obtained in a hack of Athens Orthopedic Clinic may be for sale online.

Some patient records obtained in a hack of Athens Orthopedic Clinic may be for sale online.

A ruling from Georgia’s highest court this week could set a precedent that determines recourse for victims of cyber attacks, an ever-growing problem.

The Georgia Supreme Court on Monday ruled that the victims of a Athens-area medical clinic whose computer databases — invaded by anonymous hacking group “The Dark Overlord” — can sue the clinic. The unanimous ruling reverses the Georgia Court of Appeals decision to throw the case out.

Justices found that even the threat of future harm to a data breach victim is enough to be compensated for under the law, which could set statewide precedent in these types of crimes. The case will now go back to the lower court in Athens-Clarke County. As of Monday, no new court date had been scheduled.

READ | Henry County has spent $650,000 restoring computer network after hack

The Dark Overlord group stole personal data — Social Security numbers, addresses, birth dates and health insurance details — of 200,000 people from Athens Orthopedic Clinic in June 2016 then demanded a ransom to unlock the databases. The group posted some of the information on a data storage website, according to the high court’s opinion. The clinic declined to pay the ransom and notified patients in August 2016.

A member of The Dark Overlord group, 39-year-old Nathan Wyatt, this week was extradited from the United Kingdom to a St. Louis federal court amid allegations he helped hack American companies and then try to extort them using sensitive information in exchange for Bitcoin, a virtual form of currency. It isn't clear if Wyatt was involved in the Athens clinic hacking.

Three women claim the clinic was negligent and ask the clinic to pay their legal fees and compensate them for all the credit monitoring they put in place. One of the women, Christine Collins, said fraudulent charges were made to her credit card soon after the breach.

Neither attorneys for the clinic nor the potential plaintiffs responded to The Atlanta Journal-Constitution’s request for comment during this holiday week.

READ | Roswell cops warn of Facebook scam threatening leak of 'lewd photos'

Cyber crime affects organizations small and large, public and private.

A report obtained by The Atlanta Journal-Constitution and Channel 2 Action News showed the March 2018 cyber attack that halted many city systems could cost taxpayers up to $17 million.

Atlanta-based Equifax earlier this year reached a $700 million settlement with the government over the 2017 breach that exposed the personal information of nearly 150 million people.

Justice Nels Peterson wrote in the Athens clinic opinion that the law is behind the prevalence of cyber crime and it may be up to another branch of government to fix.

“Traditional tort law is a rather blunt instrument for resolving all of the complex tradeoffs at issue in a case such as this,” Peterson wrote, “tradeoffs that may well be better resolved by the legislative process.”

Follow The Atlanta Journal-Constitution on Facebook and Twitter

In other hacking news...

Georgia couple shares story of stranger hacking Ring camera