As cyberattacks on healthcare organizations surge, several state-level lawmakers are pushing back against what they see as excessive class-action lawsuits over data breaches in the United States. Several states have moved to reduce liability for healthcare providers that adopt new security protocols.
Tennessee is the latest state to join the growing list of those that have taken moves to reduce liability for healthcare amidst the on-going debate on balancing adequate cybersecurity measures with patient protections.
Growing Factor in United States Healthcare
The push to limit liability comes amid a surge in data breaches, with more than 144 million people in the U.S. having their health data compromised in 2023 alone. This number is nearly triple the total from 2022, and it highlights the growing threat that hackers pose to the healthcare sector. Healthcare organizations have become a prime target for cyberattacks, with hackers seeking to exploit sensitive patient information for financial gain.
Lawmakers argue that healthcare providers cannot reasonably be held responsible for every attack, and that the current system of class-action lawsuits is unfair. “What happens is they get hacked and then by law they have to report there is a breach, and then you have these class-action suits pop up,” said Florida state Rep.
Mike Giallombardo, a Republican who helped pass a bill to limit liability expressed, “The victim is being sued for tens of millions of dollars for so-called negligence when the fact is they weren’t negligent. Nobody’s immune from this.”
Critics Argue that Healthcare Firms Are Not Doing Enough
However, critics argue that healthcare firms are not doing enough to safeguard patient information, and that the new laws will only serve to minimize payouts rather than incentivize cybersecurity. “These companies make millions and millions of dollars, and they just profit,” said Thomas Loeser, a partner at Cotchett Pitre & McCarthy, which represents consumers in class-action suits.
“They don’t spend the money to protect the information they collect from consumers because nobody has made them do it.”
Patient advocates worry the laws prioritize minimizing payouts over improving security. But lawmakers say healthcare providers are unfairly targeted by lawsuits when breaches occur despite reasonable precautions.
Looking Ahead
Proponents say liability limits will allow healthcare organizations to invest in cybersecurity rather than legal defense. But critics argue the laws remove incentives for protecting patient data.
The trend toward limiting liability is likely to continue as more states consider similar legislation. But the approach remains controversial, with patient advocates and cybersecurity experts divided on its potential impacts.
Some argue stronger federal standards are needed to ensure consistent protections nationwide. Others say state-level innovation allows for tailored approaches. As the healthcare sector faces mounting cyber threats, the liability debate is poised to intensify. Lawmakers must weigh complex tradeoffs between security incentives, accountability and patient rights.