Major data breaches that jeopardize the confidential personal, financial and health information of millions of Americans continue to make headlines. Virtually all organizations—including government—that compile and store personal data are vulnerable, as are the contractors, vendors, and others with whom they share such data. Recently, a security breach at a medical collection agency serving hospitals and clinical laboratories compromised the confidential information of between 20-25 million patients, including patients at a major hospital system in New York City. A large upstate health system recently agreed to pay $3 million and take substantial corrective action after personal health information of patients was improperly disclosed as a result of the loss of an unencrypted flash drive and the theft of an unencrypted laptop computer.

Earlier this year, New York’s Legislature enacted and Governor Andrew Cuomo signed into law the “Stop Hacks and Improve Electronic Data Security Act,” or the “SHIELD” Act. (S.5575B/A.5635) The SHIELD Act adds important new requirements for businesses and organizations—including those throughout the health care sector—to safeguard personal and private information. The Act makes revisions to §899-aa and adds a new §899-bb to the General Business Law (GBL), and amends the State Technology Law.

Expanded Information Protected