cyber security data breach

New Court Ruling Could Have Long-Lasting Effects on Healthcare Practices

Data breaches carry all kinds of expenses that can do serious damage to a clinic’s bottom line. That reality became more prominent last month when the Georgia Supreme Court ruled that data breach victims could sue for damages.

In June 2016 the Athens Orthopedic Clinic in Georgia suffered a data breach in which 200,000 patients’ data was stolen. The stolen data included names, addresses, and social security numbers. The criminal hacking group known as Dark Overlord was responsible for the theft, and some of the data ended up for sale online.

The recent verdict overturned an earlier ruling that allowed the clinic to dismiss the case. In similar prior cases, Georgia courts held that exposure of private data alone was not enough to bring a negligence suit, as the threat of ‘future harm’ was too hard to prove. In this case, however, the Supreme Court found that, since the data was actively stolen by a criminal group, it was much more likely that any given patient may suffer from identity theft, making a negligence claim supportable.

This case sets a precedent that may be followed in many states. With the ever-increasing rates of phishing attacks on businesses of all sizes and markets, data exposure and theft is common. This case suggests that if a bad actor is proven to be involved in stealing data, rather than accidental exposure, all affected victims of the data breach may have the right to sue for damages.

What does this mean for small medical practices? In addition to the cost of recovering from a data breach and managing public relations, you may also have to worry about future litigations against you from the patient’s whose data you failed to protect. In order to protect your practice from endless litigation, the first step is always proper network management and cyber security. The second step is cyber liability insurance, which will not only help in paying ransoms and recovery costs, but also assist in settling or fighting litigation brought against you in the case of a data breach.

As stewards of sensitive data, HIPAA compliant entities should take all available precautions to protect the information that passes through our networks. This means having proper management, security, and training in place to mitigate risks.