Data breaches represent a serious and growing legal liability risk in the New York healthcare industry, with frequent, large-scale incidents occurring due to cyberattacks and ransomware. According to the U.S. Department of Health and Human Services Office of Civil Rights (OCR), the OCR has received notice of 41 breaches of protected health information occurring in New York in the past 24 months affecting 500 or more individuals, triggering specific, timely notification requirements under the HIPAA Breach Notification Rule. Recent high-profile data breaches involving New York healthcare organizations include:
The cyberattack against Change Healthcare (UnitedHealth Group) disclosed in February 2024 affecting approximately 4 million New Yorkers and 192.7 million people nationwide.
The New York Attorney General’s settlement in late 2024 for $2.25 million with Albany ENT & Allergy Services, P.C. for cyberattacks that compromised over 200,000 patient records.
The Richmond University Medical Center’s ransomware attack in early 2025 that affected over 670,000 individuals.
In response to data breaches and cyber threats such as those mentioned above, New York State has recently implemented some of the most stringent data security laws in the nation. These include:
The Stop Hacks and Improve Electronic Data Security Act (N.Y. SHIELD Act) was adopted in 2019 requiring businesses to implement reasonable safeguards to protect the private information of New York residents and to notify affected individuals in case of a data breach. The law was strengthened further in December 2024 and February 2025 to include, among other things, amendments to the 30-day notification timeline for breaches and an expanded definition of private information that includes medical and health insurance information.
In October of last year, the New York State Department of Health finalized new cybersecurity regulations for hospitals. The regulations expand the definition of protected data to “nonpublic information” that includes sensitive personally identifiable information (which is not necessarily PHI); require hospitals to notify DOH within 72 hours of determining that a cybersecurity incident has occurred; and mandate robust security measures, including annual risk assessments.
In addition, on January 22, 2025, the New York Health Information Privacy Act (NYHIPA) passed both houses of the New York State Legislature. The bill is awaiting action by Governor Kathy Hochul, and there is a strong expectation that the bill will be enacted in some form. If enacted, the law would apply to entities that control the processing of “regulated health information” (RHI) for New York residents or individuals physically present in New York.
NYHIPA would expand health data privacy protections beyond federal HIPAA by strictly regulating the collection and sale of RHI and impose strict consent requirements for processing or selling RHI. The act grants individuals the right to access and delete their data, and establishes strong data protection requirements for regulated entities and their service providers. The New York State Attorney General would be responsible for enforcement, with potential penalties up to $15,000 per violation or 20% of a company’s New York consumer revenue.
Attorneys in Bleakley Platt & Schmidt’s Health Law Practice Group and Information Technology and Cybersecurity Law Group stay abreast of the rapidly evolving data security laws and have extensive experience representing clients in connection with a wide variety of data privacy and security matters and data breach responses.
link
More Stories
CHAI’s AI oversight ambitions falter with scrapped AI labs
Nutrition in healthcare brings opportunity for industry growth and innovation
Lewis and Clark County job industry sees biggest growth in healthcare