A legal action filed against Sarrell Regional Dental Center for Public Health Inc. in relation to a July 2019 ransomware attack has been thrown out by a Federal judge due to a lack of standing.
Sarrell was able to bounce back from the attack and restore its computer systems and data without meeting the ransom demand, although the dental center was forced to shut down for a period of two weeks while its systems were restored. No proof was found that indicated patient data was accessed or downloaded from its systems, although it was not possible to eliminate the possibility of data theft. Consequently, notification letters were sent to all individuals potentially impacted by the attack. The breach report submitted to the HHS’ office for Civil Rights shows the personal and protected health information (PHI) of 391,000 patients was potentially compromised.
A legal action was filed against Sarrell in 2019 on behalf of patients impacted by the attack. The lawsuit sought class action status and damages for patients whose PHI was possibly compromised in the attack. The legal action claimed patients faced a higher risk of identity theft and fraud due to the attack and had to pay to cover the cost of credit monitoring services.
Judge R. Austin Huffaker Jr. commented in his ruling that while the extent and depth of the breach were “murky”, Sarrell had conducted an investigation into the attack and found no proof that files containing protected health information had been obtained by the attackers and there was no proof patient information had been improperly used in any way.
The legal action claimed the ransomware attack was a direct result of the failure of Sarrell to implement reasonable cybersecurity procedures and protocols and patients’ personal and protected health information was now probably in the hands of identity thieves. Consequently, patients impacted by the breach had to spend time and money protecting themselves against identity theft and fraud. However, Judge Austin Huffaker thought the claims were speculative, since the plaintiffs failed to provide “at least some plausible specific allegation of actual or likely misuse of data.”
As the plaintiffs and putative class members did not claim they had suffered identity theft or fraud as a result of the ransomware attack, there were insufficient grounds to sue Sarrell for the security breach.
Judge Austin Huffaker said: “The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide plaintiffs with standing to sue. The plaintiffs fail to allege that they or members of the putative class have suffered actual identity theft. Instead, their pleading speaks of ‘possibilities’ and traffics in ‘maybes’.”