Amid growing concerns over class-action lawsuits against healthcare organizations following data breaches, state lawmakers are taking action to limit liabilities for these organizations, Politico reported July 29.
Tennessee has recently joined Connecticut, Ohio and Utah in enacting measures to protect organizations that adhere to specified security protocols from what lawmakers view as excessive legal repercussions.
According to Politico, the move to mitigate liability follows a series of high-profile cyberattacks targeting the healthcare sector. These breaches have threatened patient safety and inflicted financial damage, prompting legislative responses aimed at shielding healthcare providers from undue legal burdens.
In June, Florida came close to passing similar legislation, but Gov. Ron DeSantis vetoed the bill, arguing that it failed to sufficiently encourage robust cybersecurity practices. However, the increasing sophistication of cyberattacks and the resulting surge in lawsuits have underscored the need for balanced legal protections for healthcare providers.
According to Politico's analysis, more than 144 million Americans had their health data compromised in 2023, nearly triple the figure from the previous year.
Florida state Rep. Mike Giallombardo, a cybersecurity firm owner and advocate for the state's liability-limiting bill, explained the predicament faced by healthcare organizations.
"What happens is they get hacked and then by law they have to report there is a breach, and then you have these class-action suits pop up," he told Politico. "The victim is being sued for tens of millions of dollars for so-called negligence when the fact is they weren't negligent. Nobody's immune from this."
However, this legislative trend has met resistance from attorneys and patients, who argue that healthcare firms are not doing enough to protect sensitive patient data.
For example, critics contend that the new laws prioritize limiting financial liabilities over improving cybersecurity measures. Thomas Loeser, a partner at Cotchett Pitre and McCarthy, which represents consumers in class-action lawsuits, expressed skepticism about the motives behind the legislation.
"These [health care] companies make millions and millions of dollars, and they just profit," he told Politico. "They don't spend the money to protect the information they collect from consumers because nobody has made them do it."