News & Insights  |  Media Mentions

Related Professionals

Practice Areas


Patricia O'Connell
Senior Communications Manager

Kirk Nahra Comments on Need for HIPAA Update After MedStar Health Cyberattack

Healthcare Info Security
March 29, 2016

Kirk J. Nahra, chair of Wiley Rein’s Privacy Practice and co-chair of the Health Care Practice, was quoted in a article about the recent cyberattack on MedStar Health, which may have involved ransomware. As a result of the recent surge in such attacks on hospitals, a member of Congress suggested that Health Insurance Portability and Accountability Act’s (HIPAA) breach notification requirements may need to be updated.

Mr. Nahra said that the increase in ransomware attacks doesn’t merit developing new legislation for breach notification. “These attacks really are directed at different kinds of issues—in most situations—than those where [breach] notice makes sense,” he added.

“Something like ransomware is a real problem for a hospital, because it makes their records inaccessible and unusable, but I’m not sure there’s any particular purpose to notifying every patient who was ever at the hospital about that kind of incident,” Mr. Nahra said. “There’s always a question of what the purpose of notice is. The original purpose of notice laws was in situations where an individual could reasonably take some action—like checking credit reports in the event of a breach involving Social Security numbers where there was a risk of identity theft.  For these kinds of attacks, there’s nothing for the individual to do, so it’s not clear what the purpose of notice would be.”

To read the complete article, please click here.