Breach or Ransomware Attack? Can’t Sue Under HIPAA, but Maybe Under CFAA
Lucy Li of Fox Rothschild writes:
HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA. Similarly, when a ransomware attack blocks access to protected health information, employers also cannot sue under HIPAA. HIPAA violations and ransomware attacks and can be costly to deal with. Just ask Hollywood Presbyterian Medical Center. But employers have one potential remedy: suing the perpetrator of the access, interference, or misuse for violating the Computer Fraud and Abuse Act (“CFAA”).
The CFAA is a federal law that prohibits fraudulent access to protected computer information. The law prevents unauthorized access or access that exceeds the user’s authority to a protected computer to obtain private information, such as patient data or trade secrets. The law also prohibits the use of ransomware to extort money or anything of value. If these cyber-attacks occur, the CFAA allows the employer to file a civil lawsuit against the hacker or the rogue employee to recover damages for economic harm.
Read more on Fox Rothschild HIPAA, HITECH, HIT