Washington Appeals Court rules health agency could be liable for 2021 cyberattack exposing client data

In a significant ruling, the Washington Court of Appeals has overturned a previous decision, stating that the Chelan-Douglas Health District (CDHD) may be held accountable for a 2021 cyberattack that compromised the sensitive health information of 109,000 clients. The appellate court’s decision, issued Thursday, reverses Chelan County Superior Court Judge Kristin Ferrera’s earlier dismissal of a lawsuit brought by Sarah Nunley and Michelle Slater, two plaintiffs affected by the data breach.

Nunley and Slater alleged that the breach had led to a barrage of spam communications and, in one case, unauthorized use of stolen data for a business license application. They argued that CDHD had failed to secure their personal information, and the appeals court agreed they should be able to demonstrate damages in the trial.

Acting Chief Judge Tracy Staab, writing for the three-judge panel, highlighted that CDHD had prior knowledge of the cybersecurity risks to its system. The FBI warned the agency in early 2021 of a looming cyberattack and had received phishing attempts via email. Despite these warnings, Staab noted that CDHD had not effectively bolstered its security protocols before the May 2021 cyberattack, leaving client data vulnerable to unauthorized access.

“We hold that the Health District owed the Plaintiffs a duty to use reasonable care in the collection and storing of their personal information, and this duty includes taking reasonable steps to prevent unauthorized access and disclosure of the information,” Staab wrote in the appellate opinion. Staab further noted that Nunley’s data, including her Social Security number, was later discovered on dark web platforms, heightening the security concerns.

The plaintiffs’ suit seeks damages, citing specific harm from CDHD’s alleged negligence. However, Judge Ferrera had previously ruled that they had failed to demonstrate tangible harm, leading to the case’s initial dismissal. The appellate court’s decision reinstates the case, setting the stage for a trial where Nunley, Slater, and others affected could seek compensation.