The Washington Court of Appeals revived a Chelan-Douglas Health District data breach case that the Chelan County Superior Court dismissed. In June 2022, the public health agency of Wenatchee Valley in Washington, Chelan-Douglas Health District, faced a lawsuit because of a cyberattack and data breach it encountered in 2021. The incident affected the protected health information (PHI) and personally identifiable information (PII) of approximately 109,000 people.
Sarah Nunley and Michelle Slater filed the lawsuit individually, representing other victims impacted by the data breach. Allegedly, the plaintiffs began getting spam telephone calls and email messages associated with medical services after the data breach. They received phone calls from people professing to work at the health district. Nunley claimed that her private data was used to register an unauthorized business. She also stated receiving notification from her credit monitoring service about her Social Security number being posted two times on dark websites and from Goldman Sachs about “soft pulls” on her credit.
The lawsuit stated that the health district neglected to use reasonable and proper safety measures to protect the privacy of the sensitive information it collected and kept. The health district knew in 2020 that the PII and PHI it saved were vulnerable because of its inadequate security protocols, yet did not take proper action to minimize risks and vulnerabilities. The lawsuit also stated that FBI agents reached out to the health district at the beginning of May 2021 because of an upcoming cyberattack. From May 10 to May 14, the health district encountered two attempted cyberattacks on its systems and one attempted phishing attack. Despite these incidents, the health district did not take action to enhance security. Then, from July 2 to July 4, another cyberattack happened resulting in the exfiltration of sensitive data from its system. If the health district had taken action after receiving the FBI warning, it could have prevented the attempted cyberattacks and the July data breach.
Nunley stated mitigating the impact of the data breach took at least 5 hours and she has endured emotional stress because of the stolen PHI. The two plaintiffs assert actual harm through a diminution in the worth of their PII and the probable injury from the greater risk of fraud. Chelan-Douglas Health District submitted an appeal to dismiss the case because the plaintiffs did not claim the health district owed them a duty of care and did not petition cognizable injuries. Chelan County Superior Court Judge Kristin Ferrera dropped the case with prejudice for not stating a claim for which to grant relief.
The plaintiffs submitted a motion to reconsider the decision, which was approved by a three-judge appellate panel and overturned the decision. Acting Chief Judge Tracy Staab stated that companies that gather and keep personal health information (PHI) and personal identifiable information (PII) have a responsibility to take care in accumulating and keeping the data. This responsibility involves taking appropriate steps to stop unauthorized access and exposure of the data. The lawsuit currently goes back to the Chelan County Superior Court, though Chelan County Health District can file an appeal to reverse the decision with the Washington Supreme Court.
