Ransomware lawsuit against US dental practice thrown out

A judge has dismissed a legal action against a family dental and eye care practice in Alabama after a ransomware attack in January 2019 affected more than 391,000 individuals. 

While the extent and depth of the breach of data held by Sarrell Regional Dental Center for Public Health is “murky”, Judge Austin Huffaker said the practice’s investigation into the incident found no evidence any files or information were copied, downloaded or removed from its network, nor any evidence that information which may be involved was misused.

The lawsuit, which had sought class action status, alleged the plaintiffs faced increased risk of identity theft and the cost of monitoring their credit because of exposure of their personally identifiable information.

But Judge Huffaker said the plaintiffs failed to provide “at least some plausible specific allegation of actual or likely misuse of data,” online news source GovInfoSecurity reported.

“The fact that the breach occurred cannot, in and of itself, be enough, in the absence of any imminent or likely misuse of protected data, to provide plaintiffs with standing to sue,” he stated in his ruling.

In a statement issued last October, Sarrell said it did not pay a ransom to recover its data. “To protect health information in the future, we rebuilt our business systems with updated security and virus protection for the entire Sarrell network before reopening our practice,” it added.


Catch the replays and discover the best talks from Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.