A judge in Franklin County has dismissed a class action lawsuit brought against the City of Columbus following a major 2024 cyberattack that exposed the private information of nearly half a million residents. The ruling determined that the city cannot be held liable for damages because it qualifies as a political subdivision under Ohio law, which grants it immunity from certain types of lawsuits.
The lawsuit stemmed from a ransomware attack in which a hacking group known as Rhysida infiltrated the city’s computer systems and leaked sensitive personal data on the dark web. The breach impacted hundreds of thousands of individuals whose personal information, including addresses, contact details, and potentially other identifiable records, was compromised. While city officials initially claimed the stolen data had little value, cybersecurity experts and victims argued otherwise, pointing to the risks of identity theft and fraud.
Judge Carl A. Aveni acknowledged in his ruling that the plaintiffs demonstrated real harm and presented evidence showing injuries that could be directly traced back to the city’s systems being compromised. However, he ultimately sided with the city’s argument that its management of IT systems falls under “governmental functions,” which are shielded by Ohio’s Political Subdivision Tort Liability Act. That law grants broad legal protections to cities and municipalities for actions tied to essential government services.
In his written decision, Judge Aveni stressed the difficulty of the ruling, noting that if the defendant were a private company rather than a government entity, the plaintiffs would likely have had a valid case that could move forward in court. He remarked that the victims’ opportunity to prove negligence and seek compensation was effectively blocked by the immunity granted to the city. He also acknowledged that the individuals affected did nothing wrong yet suffered harm through no fault of their own.
The dismissal was issued with prejudice, meaning the plaintiffs cannot refile the lawsuit or pursue the same claims in another form against the City of Columbus. This conclusion brings an abrupt end to the legal efforts of those seeking accountability for the massive data leak, leaving victims without legal recourse against the city.
In response to the ruling, city officials expressed satisfaction, framing the outcome as validation of their position that maintaining IT services is a basic public responsibility akin to filling potholes or plowing snow. The city reiterated that it had taken steps to protect its systems and emphasized that the real blame lies with the Rhysida threat actors who orchestrated the cyberattack. Officials insisted that the administration continues to strengthen security and safeguard technology infrastructure in light of evolving cyber threats.
The ruling underscores a growing tension between the legal protections afforded to government entities and the real-world consequences of cyberattacks that impact citizens’ private information. As municipalities across the United States increasingly face ransomware threats, the Columbus case highlights the potential limitations for victims seeking redress when government systems are compromised.
Cybersecurity experts warn that such legal protections, while designed to ensure government functions can continue without constant litigation, may leave residents vulnerable in cases where their data is exposed. They argue that immunity statutes may not align with the realities of modern cyber risks, where stolen data can lead to lasting harm. Advocates have raised concerns that without accountability, governments may not be incentivized to invest adequately in robust protections, leaving personal data at risk of further breaches.
For Columbus residents affected by the attack, the frustration remains palpable. Many have expressed fears about long-term consequences from having their sensitive information exposed, including increased risks of scams and identity fraud. While the city continues to insist it has acted responsibly and placed blame on the hackers, victims are left to grapple with the fallout on their own, with no further legal path forward against the city itself.
The Columbus cyberattack and subsequent lawsuit dismissal mark one of the most significant recent examples of how courts interpret government immunity in the context of cybersecurity. It is likely to serve as a precedent for future cases in Ohio and possibly beyond, as local governments continue to face escalating threats from sophisticated cybercriminal groups. The decision also raises questions about whether legislative reforms may be necessary to balance protections for government entities with the rights of individuals whose personal information is compromised in these attacks.
