COLLINS v. ATHENS ORTHOPEDIC CLINIC, P.A, 307 Ga. 555

In June 2016 a hacker accessed Athens Orthopedic Clinic’s databases and stole personally identifiable information (SSNs, DOBs, addresses, insurance data) for at least ~200,000 current/former patients. The hacker demanded ransom and offered at least some stolen data for sale on the dark web and posted data on Pastebin.
Named plaintiffs alleged the breach exposed them to imminent and substantial risk of identity theft; one plaintiff reported fraudulent card charges soon after the breach and others alleged time and money spent placing fraud alerts and credit monitoring.
Plaintiffs filed a putative class action asserting negligence, breach of implied contract, unjust enrichment, UDTPA injunctive relief, and declaratory relief; they sought damages for mitigation costs and injunctive/declaratory relief to improve data security.
The Clinic moved to dismiss under OCGA § 9-11-12(b)(1) and (b)(6); the trial court granted dismissal. A divided Court of Appeals affirmed, holding the plaintiffs had alleged only an increased/ speculative risk of harm and therefore no legally cognizable injury.
The Georgia Supreme Court reversed the Court of Appeals as to the negligence/ injury question, holding plaintiffs’ allegations of mass criminal theft, sale/offering of the data, and an "imminent and substantial" risk of identity theft suffice to plead a legally cognizable injury at the 12(b)(6) stage; other Court of Appeals holdings were vacated and the case remanded.

Issue	Plaintiff's Argument	Defendant's Argument	Held
Whether plaintiffs pleaded a legally cognizable injury from the data breach	Plaintiffs alleged mass criminal theft, sale/offering of stolen PII and an imminent/substantial risk of identity theft plus mitigation costs (credit alerts, monitoring)	Clinic argued plaintiffs alleged only speculative increased risk of harm and therefore no recoverable injury under Georgia tort law	Plaintiffs adequately pleaded a cognizable injury at the motion-to-dismiss stage; reversal of Court of Appeals on this point
Whether prior Georgia cases (Finnerty, Rite Aid, Boyd) control	Collins argued those cases are distinguishable because they involved mere disclosures or lacked evidence the data reached criminals	Clinic relied on those precedents to argue exposure alone is insufficient without proof data reached criminals or was used	Court held those cases are inapplicable here: they arose at later stages (summary judgment/class cert) or involved different factual chains; this case alleges actual criminal theft and sale, so less speculative
Effect of procedural posture (12(b)(6) v. summary judgment / class-cert)	Plaintiffs: at dismissal stage allegations must be taken as true and are sufficient to state injury	Clinic: factual improbability should prevent pleading of imminent risk	Court emphasized 12(b)(6) standard: accept plaintiffs’ factual allegations; more exacting proof may be required later, but dismissal was improper

Finnerty v. State Bank & Trust Co., 301 Ga. App. 569 (Ga. Ct. App. 2009) (disclosure of SSN in court filing held speculative as to identity-theft injury at later stage)
Rite Aid of Georgia v. Peacock, 315 Ga. App. 573 (Ga. Ct. App. 2012) (denial of class certification where link to criminal misuse was speculative)
Boyd v. Orkin Exterminating Co., 191 Ga. App. 38 (Ga. Ct. App. 1989) (summary judgment where increased risk of future disease was unsupported by evidence)
Goldstein, Garber & Salama, LLC v. J.B., 300 Ga. 840 (Ga. 2017) (elements of negligence and requirement that plaintiff show injury/damages)
Nguyen v. Southwestern Emergency Physicians, P.C., 298 Ga. 75 (Ga. 2015) (summary judgment standard requires evidence to create genuine factual disputes)
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (data-breach decision recognizing substantial risk of fraud from stolen consumer data)
Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (data-breach standing: substantial risk of harm from hack and nature of data suffices)
In re Equifax, Inc., Customer Data Sec. Breach Litig., 362 F. Supp. 3d 1295 (N.D. Ga. 2019) (applying Georgia law, held allegations of risk, remediation costs, and some actual identity theft sufficient to plead injury)
Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (discusses causation and plausibility in data-theft contexts)