Law Faculty Scholarship

Document Type

Article

Publication Date

Winter 2026

Abstract

This article analyzes the growing problem of ransomware attacks in the healthcare sector and evaluates the evolving legal frameworks used to address cybersecurity risks affecting patient data. The authors trace the rapid increase in ransomware incidents, driven in part by the rise of digital health records and cryptocurrency-enabled extortion, and highlight the significant operational and privacy harms resulting from such attacks. The article critically examines existing federal and state legal mechanisms—including statutes such as HIPAA, criminal fraud provisions, and emerging state-level immunity laws—and argues that current approaches are insufficient due to jurisdictional challenges, particularly the transnational nature of cybercrime and the low likelihood of detection and prosecution. It further explores a shift in legal and regulatory responses toward imposing liability on healthcare entities rather than focusing on cybercriminal perpetrators, including the rise of class action litigation following data breaches. The authors contend that an overemphasis on healthcare provider liability risks increasing costs for consumers without effectively deterring cybercrime. Instead, the article advocates for a balanced framework that assigns responsibility to healthcare organizations for implementing reasonable cybersecurity measures while promoting coordinated efforts among government agencies, industry actors, and international partners to address the root causes of cyber threats. Ultimately, the article calls for integrated legislative, regulatory, and policy reforms to more effectively mitigate cybersecurity risks while maintaining equitable accountability.

Download

Share

COinS