The following post was contributed by our colleague Lucy Li.

HIPAA itself does not provide a private right of action. So when a hacker or rogue employee impermissibly accesses or interferes with electronic data or data systems containing protected health information, an employer subject to HIPAA cannot sue the perpetrator under HIPAA.  Similarly, when a ransomware attack blocks access to protected health information, employers also cannot sue under HIPAA.  HIPAA violations and ransomware attacks and can be costly to deal with.  Just ask Hollywood Presbyterian Medical Center. But employers have one potential remedy: suing the perpetrator of the access, interference, or misuse for violating the Computer Fraud and Abuse Act (“CFAA”).

The CFAA is a federal law that prohibits fraudulent access to protected computer information. The law prevents unauthorized access or access that exceeds the user’s authority to a protected computer to obtain private information, such as patient data or trade secrets.  The law also prohibits the use of ransomware to extort money or anything of value. If these cyber-attacks occur, the CFAA allows the employer to file a civil lawsuit against the hacker or the rogue employee to recover damages for economic harm.

Best Practices and CFAA Tips

  1. Prevention is best. Encrypt your data and use sophisticated firewalls and security patches to prevent hackers from accessing protected information. Litigation is a tool to recover for economic harm, but it is costly.
  2. Limit electronic access. Give employees or contractors just enough access to perform their job duties. Nothing more.
  3. Disable log-in rights of an ex-employee or contractor as soon as the employment or contractual relationship ends.
  4. State law. The applicability of the CFAA varies by state. Individual states may also have their own causes of action under state computer fraud laws or trade secret appropriation for stealing patient lists.  These laws may be additional tools to help you recover from a HIPAA violation or a ransomware attack.