The Federal judge dismissed the lawsuit filed versus Sarrell Regional Dental Center for Public Health Inc. because of a ransomware attack in July 2019 as a result of insufficient standing.
Sarrell had recovered from the ransomware attack getting back its computer systems and data files without having to pay the ransom, though the dental center was compelled to shut down for two weeks to have its systems restored. There is no evidence found that suggest the access or download of patient data from its systems. Though the possibility of a data breach cannot be ruled out with 100% confidence therefore Sarrell sent notification letters to 391,000 patients who had their private and protected health information (PHI) potentially exposed.
The patients affected by the attack filed a legal case against Sarrell in 2019. The lawsuit wanted class-action status and damage compensation for patients who had their PHI potentially exposed in the breach. Allegedly, the patients suffered a greater risk of identity theft because of the attack and needed to pay for the price of credit monitoring services.
Judge R. Austin Huffaker Jr. expressed in his judgment that although the scope and depth of the PHI breach were “murky”, Sarrell had performed an investigation of the breach and did not find any evidence that the attackers accessed or exfiltrated the files that contain PHI. There was also no proof of misuse of any patient data.
The lawsuit alleged that the ransomware attack was a direct consequence of Sarrell’s failure to employ appropriate cybersecurity measures and standards and the identity thieves mos likely hold the personal data and PHI of the patients now. Therefore, patients impacted by the breach needed to use time and money securing themselves from identity theft and scams. Even so, Judge Austin Huffaker deemed the allegations as speculative, considering that the plaintiffs were unable to give at least a few credible precise allegations of actual or probable improper use of data.
Because the plaintiffs and putative class members were unable to lay claim they had endured identity theft or fraud resulting from the ransomware attack, the grounds to prosecute Sarrell over the security breach were insufficient. Judge Austin Huffaker stated that the fact of occurrence of the breach, in and of itself, is not enough, without any impending or probable misuse of protected information, to give plaintiffs with standing to sue Sarrell. The plaintiffs are unsuccessful to lay claim that they or those of the putative class endured actual identity theft. Rather, their pleading echoes probabilities and maybes.