Twenty Tennessee-based health care companies have reported data breaches in recent years that exposed personal and financial data of state residents, according to the U.S. Department of Health and Human Services Office for Civil Rights. Several of these companies subsequently faced class action lawsuits from patients whose data had been compromised.
Republican Sen. Shane Reeves recently introduced a bill that would make it harder for victims of data breaches to sue these companies, arguing that lawsuits against companies affected by such cyberattacks would be an added insult.
“We can't stop that attack,” Sen. Reeves said during a hearing this week. “But what we can do is set the stage so that they don't end up in civil litigation when they're trying to get back on their feet.”
The 2018 Senate bill would provide that “private companies will not be civilly liable in class actions arising from cybersecurity events unless the cybersecurity event was caused by intentional, wrongful conduct, or gross negligence on the part of the private company.” It is declared.”
Current Tennessee law requires companies to take “reasonable care” to prevent data breaches. But under the proposed bill, victims would have to prove that the company's cybersecurity practices were insufficient to prevent the attack, making it one of the most lenient policies in the country.
If passed, the bill would strengthen cybersecurity protections for critical infrastructure such as healthcare, especially in the wake of the February cyberattack on Change Healthcare that caused widespread outages that affected billing. It also would not comply with federal recommendations from the Infrastructure Security Agency. , verify eligibility, request prior authorization, and fulfill prescriptions for millions of patients.
