The health care sector has seen an onslaught of data breaches in recent years, with more than 700 data breaches involving 500 or more records in each of the past three years. In the first quarter of 2024 alone, the Department of Health and Human Services (HHS) received 212 formal data breach notifications. As HHS aptly suggests, health care organizations are frequently considered “one-stop shops” that contain identity, financial and health information.

Cyberattacks can paralyze an organization’s operations and be tremendously costly and detrimental to patient care. In response, many legislative bodies and regulators have updated laws and issued guidance to better protect sensitive patient information. For example, Congress is considering a bipartisan bill to establish comprehensive data privacy rights and standards for data security, HHS released guidance on cybersecurity actions and plans to propose cybersecurity requirements this spring (through the Centers for Medicare & Medicaid Services (CMS) and the Office for Civil Rights (OCR)), and the Federal Trade Commission (FTC) has updated and is enforcing its Health Breach Notification Rule against digital health companies.