Collins v. Athens Orthopedic Clinic
815 S.E.2d 639
Ga. Ct. App.2018Background
- An anonymous hacker stole PII of ~200,000 Athens Orthopedic Clinic (AOC) patients; some data was offered for sale on the Dark Web and briefly posted on Pastebin.
- Three named plaintiffs alleged exposure to identity theft, placed fraud/credit alerts; one plaintiff had unrelated fraudulent card charges.
- Plaintiffs filed a putative class action asserting negligence, breach of implied contract, unjust enrichment, UDTPA violations, declaratory relief, and attorney fees; they sought reimbursement for costs of credit monitoring/identity-protection and injunctive relief.
- AOC moved to dismiss; trial court granted the motion and expressly stated it considered no matters outside the pleadings.
- The Court of Appeals affirmed, holding plaintiffs’ alleged harms were speculative and prophylactic (costs to prevent future identity theft are not cognizable damages under Georgia law), and thus dismissed the claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing / Article III injury-in-fact | Hack and publication of PII create imminent/substantial risk of identity theft; that risk suffices for standing | No present injury; risk is speculative and insufficient to confer standing or recovery | Majority did not separately resolve standing; affirmed dismissal on merits (failure to state legally cognizable damages). Concurring judge would find standing (substantial risk sufficient) and remand. |
| Negligence — recoverable damages | Costs of credit monitoring/identity-protection and credit freezes are recoverable as damages from breach of duty | Those costs are prophylactic to mitigate speculative future harm and are not recoverable absent actual injury | Costs are speculative prophylaxis and not recoverable; negligence claim dismissed. |
| Breach of implied contract — damages element | Patients provided PII in exchange for care and implied promise to safeguard it; mitigation costs are consequential damages | No compensable injury occurred, so no consequential damages for mitigation; implied contract fails for lack of damages | Claim fails because plaintiffs alleged only speculative, prophylactic losses. |
| UDTPA (injunctive relief) | AOC’s inadequate security is deceptive/unfair; plaintiffs likely to be damaged in future and seek injunction/credit monitoring | Plaintiffs allege only speculative future harm; no specific future injury an injunction would redress | UDTPA requires likelihood of future damage; plaintiffs did not plead nonspeculative future harm—claim dismissed. |
Key Cases Cited
- Radio Perry v. Cox Communications, Inc., 323 Ga. App. 604 (Ga. Ct. App.) (standard of review on motion to dismiss)
- Whitehead v. Cuffie, 185 Ga. App. 351 (Ga. Ct. App.) (elements of negligence and requirement of actual injury)
- Finnerty v. State Bank & Trust Co., 301 Ga. App. 569 (Ga. Ct. App.) (fear of future identity theft too speculative for recovery)
- Rite Aid of Ga. v. Peacock, 315 Ga. App. 573 (Ga. Ct. App.) (speculative harm from data-related conduct insufficient for class-wide recovery)
- Boyd v. Orkin Exterminating Co., 191 Ga. App. 38 (Ga. Ct. App.) (no recovery for increased risk absent proof injury or reasonable medical certainty of future harm)
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir.) (data-breach plaintiffs must allege concrete injury; contrasting outcomes under other jurisdictions)