Labs and other custodians of personal health information have become a prime target for ransomware attacks. In addition to fines for Health Insurance Portability and Accountability Act (HIPAA) violations, failure to safeguard patient medical information against these threats can lead to liability under negligence and other state laws.
Explanation: HIPAA doesn’t generally give the victims of ransomware and other cyberattacks the right to sue for money damages. However, potential liability for failing to adequately keep patient health information secure and ward off cyberthreats goes well beyond HIPAA. Victims of cyberattacks have an arsenal of potent legal weapons at their disposal, including:
- Negligence: Where failure to safeguard personal health data constitutes a violation of a lab’s duty to exercise reasonable care to the patient;
- Gross negligence which also requires there to be a duty of care between the author of the grossly negligent behavior and the victim; and
- Negligence per se a hybrid creature composed of both tort and statutory law in which a statute establishes a standard for reasonable behavior and violating the statute is tantamount to an act of negligence.
Get more insight in the March 2022 issue of Lab Compliance Advisor.