ATLANTA -- In the spring of 2016, a cyber thief calling himself the "Dark Overlord" hacked into the databases of a Clarke County medical clinic and emerged with the personal information of an estimated 200,000 patients.
The Athens Orthopedic Clinic refused to pay the hacker's ransom and advised current and former patients to set up anti-fraud protections. Now a lawsuit filed by three of those patients -- demanding that the clinic pay damages -- could set a precedent in Georgia, where reports of data breaches have been soaring.
On Tuesday, the Georgia Supreme Court heard arguments that revolved around a key question: Must a data breach victim suffer actual financial loss to be compensated under the law? Or is the threat of future harm enough?
Their answer could have broad ramifications. Atlanta-based Equifax, Georgia Tech and the Georgia Secretary of State's Office are just some of the places where breaches have exposed the data of millions of people.
Equifax, based in Atlanta, was the victim of a data breach in September 2017
The lawsuit considered Tuesday alleges that Athens Orthopedic, which has been providing medical care since 1966, was negligent for the breach. The plaintiffs, all women, are seeking damages for what they have already paid and what they may have to pay in the future for credit monitoring, identity theft protection or placing credit freezes on their accounts.
So far, they have been unsuccessful. In a 2-1 decision last year, the state Court of Appeals ruled that because the plaintiffs suffered no actual financial loss or harm, they are not entitled to recover damages for potential, or future, injuries. But the Supreme Court's decision to take a look at that lower court ruling indicates some of the justices may not be happy with it.
In other data-breach cases, U.S. District Court judges have allowed similar complaints to proceed against companies such as Target, Home Depot, Anthem and Equifax. But in those cases, federal judges did not have to apply Georgia law, which the justices must do in the Athens Orthopedic litigation.
After finding out about the breach, the Athens Orthopedic notified about 200,000 of its current and former patients that the hacked data included their names, addresses, Social Security numbers, dates of birth and telephone numbers. It advised clients to place fraud alerts on their credit accounts and seek other advice.
The women's lawsuit disclosed that some of the stolen information was offered for sale on the dark web -- an encrypted network of websites not accessed by most people. The suit also said some of the information had been made available, at least temporarily, on a data-storage website.