Sarah Nunley v. Chelan-Douglas Health District
Not yet reported (2024)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
Entities that collect and store personal identifiable information (PII) and personal health information (PHI) have a legal duty to exercise reasonable care to prevent unauthorized access and disclosure of that information. A plaintiff alleging negligence in a data breach can assert cognizable injuries, including mental distress, inconvenience, and the diminished value of their personal identity, even in the absence of out-of-pocket financial losses.
Facts:
- The Chelan-Douglas Health District (Health District) collected and stored personal identifiable information (PII) and personal health information (PHI), including names, Social Security numbers, dates of birth, financial account information, and medical details, for individuals like Sarah Nunley and Michelle Slater.
- Beginning in 2020, the Health District was aware that the PII and PHI it stored were vulnerable to data breaches and that its security protocols were inadequate, but it failed to improve security or hire necessary IT personnel.
- In early May 2021, FBI agents warned the Health District of an impending cyber-attack.
- Between May 10 and May 14, 2021, hackers attempted two separate attacks on the Health District’s systems, and an email phishing attack also occurred, yet the Health District did not improve its security measures.
- Between July 2 and July 4, 2021, the Health District’s network suffered a data breach, resulting in the removal of PII and PHI belonging to approximately 108,906 individuals in Washington State.
- Sarah Nunley, a patient, received notice in March 2022 that her PII and PHI, including medical information and date of birth, were exposed; she subsequently experienced an increase in spam calls and emails, her Social Security number appeared on the dark web, and an unauthorized business license was opened in her name, causing her to spend at least five hours and suffer emotional distress.
- Michelle Slater, another individual affected, received a similar notice that her PII and PHI were exposed and made efforts to mitigate potential harm, despite having no known relationship with the Health District.
- Nunley and Slater both allege actual injury in the form of damage and diminution in the value of their PII and PHI, an increased risk of fraud, and anticipate spending considerable time and money to mitigate these harms.
Procedural Posture:
- Sarah Nunley filed a class action lawsuit for negligence against Chelan-Douglas Health District in superior court (trial court) on behalf of herself, Michelle Slater, and other affected Washington residents.
- The Health District filed a CR 12(b)(6) motion to dismiss, arguing that it did not owe the Plaintiffs a duty of care and that they failed to allege a cognizable injury.
- The superior court granted the Health District’s motion to dismiss with prejudice for failure to state a claim upon which relief could be granted.
- Nunley and Slater (Appellants) appealed the trial court’s dismissal order to the Washington Court of Appeals, Division Three.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
1. Does an entity that collects and stores personal identifiable information (PII) and personal health information (PHI) owe a duty of care to protect that information from the foreseeable criminal acts of third-party hackers? 2. Do plaintiffs allege a cognizable injury sufficient to support a negligence claim in a data breach case when they claim mental distress, inconvenience, time spent mitigating risks, and a decrease in the value of their personal identity, but no out-of-pocket expenses?
Opinions:
Majority - Staab, A.C.J.
Yes, an entity that collects and stores PII and PHI owes a duty of care to protect that information from foreseeable criminal acts. The court held that the Health District’s affirmative act of collecting, retaining, and storing large amounts of sensitive PII and PHI on its network created a new and greater risk of criminal interference, thus establishing a duty to use ordinary care to protect that information. This reasoning aligns with the Restatement (Second) of Torts § 302B, which allows for a duty to guard against foreseeable criminal conduct where an actor's affirmative act creates or exposes another to a high degree of risk, especially with knowledge of peculiar conditions or control over property (the PII/PHI) that creates a peculiar temptation for misconduct. The court highlighted that the Health District had specific knowledge that its system was being targeted. This duty is further supported by Washington's strong public policy of protecting individuals from identity theft, as evidenced by numerous statutes (e.g., RCW 9.35.001, RCW 19.255.010, Uniform Health Care Information Act, My Health My Data Act, Public Records Act, and the Office of Privacy and Data Protection). Yes, plaintiffs have alleged cognizable injuries sufficient to support a negligence claim in a data breach case, even without claiming out-of-pocket expenses. The court determined that the allegations that PII and PHI were taken by hackers with intent to use for illegal purposes satisfy Washington’s definition of identity theft (RCW 9.35.020(1)), constituting a current invasion of a legally protected interest rather than merely a potential future harm. Regarding specific types of harm: 1. Fear and Inconvenience (Mental Distress): While emotional distress as sole damage is cautiously awarded without physical injury or intentional tort, the court noted that plaintiffs are not required to allege specific factors determining emotional distress damages at the complaint stage. It is conceivable they could produce evidence to support an award for inconvenience and emotional distress under existing legal scenarios, especially given a pre-existing relationship (patient-provider). 2. Decrease in Value of Identity: The court adopted the reasoning that a person’s PII and PHI can have inherent value that can be diminished or destroyed when misappropriated for illegal purposes. Citing federal cases like In re Marriott International, Inc. and Washington’s robust statutory framework for protecting personal information, the court concluded that the loss in value of PII/PHI constitutes a current harm and a cognizable injury. Nunley's notification of her Social Security number on the dark web and an unauthorized business license in her name supported this claim. 3. Risk of Future Economic Harm: While standing alone this would not support a negligence claim, the court held that because current harm was sufficiently alleged, the claim for future economic harm could survive a motion to dismiss, as the plaintiffs have experienced actual harm, even if all resulting damages have not yet been sustained.
Analysis:
This case significantly expands the scope of negligence liability for data breaches in Washington State, making it easier for plaintiffs to pursue claims against entities that collect and store sensitive personal information. By establishing a clear duty of care even for third-party criminal acts and recognizing non-traditional forms of injury like emotional distress, inconvenience, and the diminished value of PII/PHI, the court acknowledges the modern realities of data security and identity theft. This ruling lowers the bar for plaintiffs to survive initial dismissal motions, forcing companies to seriously consider their data security practices or face potential liability, thus strengthening consumer protection in the digital age.
