Senior Communications Manager
Kirk Nahra Comments on Need for HIPAA Update After MedStar Health Cyberattack
Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a HealthcareInfoSecurity.com article about the recent cyberattack on MedStar Health, which may have involved ransomware. As a result of the recent surge in such attacks on hospitals, a member of Congress suggested that Health Insurance Portability and Accountability Act’s (HIPAA) breach notification requirements may need to be updated.
Mr. Nahra said that the increase in ransomware attacks doesn’t merit developing new legislation for breach notification. “These attacks really are directed at different kinds of issues—in most situations—than those where [breach] notice makes sense,” he added.
“Something like ransomware is a real problem for a hospital, because it makes their records inaccessible and unusable, but I’m not sure there’s any particular purpose to notifying every patient who was ever at the hospital about that kind of incident,” Mr. Nahra said. “There’s always a question of what the purpose of notice is. The original purpose of notice laws was in situations where an individual could reasonably take some action—like checking credit reports in the event of a breach involving Social Security numbers where there was a risk of identity theft. For these kinds of attacks, there’s nothing for the individual to do, so it’s not clear what the purpose of notice would be.”
To read the complete article, please click here.