Las Vegas plastic surgery practice files for cyberhack lawsuit to be dismissed

LAS VEGAS, Nev. (FOX5) - A Las Vegas plastic surgery practice facing a class-action lawsuit after it suffered a cyberattack that resulted in private patient information, including photos, reportedly being leaked online has filed a motion asking for the suit to be dismissed.

Hankins & Sohn Plastic Surgery Associates filed the motion in federal court on November 14, alleging that plaintiffs failed to state a claim upon which relief could be granted. The 24-page filing alleged that the plaintiffs have “failed to meet the legal requirements for class certification” and added that “the practice was not negligent in that it implemented reasonable security measures to safeguard Plaintiff’s personal identifiable information.”

Las Vegas plastic surgery practice sued after cyber hack, leak of patient photos and data

The filing acknowledged that the practice was a victim of a criminal cyberattack in February “like so many companies and entities before it.” The defendants noted that, “Immediately upon discovering the cyberattack, the Practice worked quickly and decisively to disable the impacted accounts, reset passwords, and thoroughly investigate the issue.” The filing added that the FBI also became involved in the investigation.

“Plaintiffs did not bring this class action due to the fact that each of the purported class members experienced any damages. In fact, many of the persons whom Plaintiffs claim are class members have not suffered damages.”

Hankins & Sohn, Motion to Dismiss, U.S. District Court, District of Nevada, November 14

The filing added that the plaintiffs have “failed to plead any facts to demonstrate damages or injuries to other class members.”

The motion continued that the Ninth Circuit recently affirmed the dismissal of a data breach class action lawsuit with facts “nearly identical” to this matter, noting that the court held that “the mere misappropriation of personal information does not establish compensable damages.”

The defendants also called the plaintiff’s assertion of negligence “misrepresentation.”

“First, the Practice implemented reasonable computer security measures when it hired an IT professional to install and maintain enhanced safety and security measures within its computer systems,” the filing said. “Second, because the Practice had implemented reasonable security measures within its computer system, the data breach was not foreseeable and, obviously, the Practice had no prior notice that a criminal cyberattack would occur at their office.”

The motion said that the negligence claim should be dismissed for failure to state a claim, and it alleged that the plaintiffs have “failed to sufficiently allege cognizable damages.” It also said that an unjust enrichment claim “fails as a matter of law,” as do multiple other claims made in the complaint.

Dr. Warren Tracy Hankins, president of the practice, filed a declaration in support of the motion to dismiss, noting that the business hired an IT specialist to implement and maintain “enhanced safety and security measures” more than one year before the breach. His filing reiterated that the cyberattack “occurred unexpectedly and without prior notice despite the enhanced computer security measures in place throughout the Practice’s computer system.”