New York Expands Data Breach Notification Requirements for Health Care Entities
On July 25, 2019, Governor Andrew Cuomo signed the Stop Hacks and Improve Electronic Data Security (“SHIELD”) Act into law. Notably, the SHIELD Act broadens the definition of a “ data breach” and further expands data breach notification requirements. Under the SHIELD Act, a data breach occurs any time private data is acquired or accessed without authorization. In addition to providing breach notifications to affected individuals and the Secretary of Health and Human Services, health care entities are required to notify the New York State Attorney General’s Office. As precautionary measures, health care entities should avoid disclosing the personal and/or medical information of their patients without their consent. It is crucial for these entities to be aware of the SHIELD Act and the new requirements it imposes.
Blog post authored by Jean Krebs