State attorneys general have been increasingly ramping up investigations and cracking down on data breaches at health care organizations.
Although hospitals and health systems are well-versed in reporting data breaches to the Office for Civil Rights because of HIPAA, the privacy scope of state attorneys general is more far-reaching. While HIPAA applies only to health-related information, state attorneys general can also focus on data breaches involving personally identifiable information (PII).