Summary
The Nevada Health Data Privacy Act and the EU Data Act highlight evolving efforts to regulate data access, sharing, and privacy, with specific focus areas like healthcare and industrial data. AI governance progresses with updates to the AI Act, addressing high-risk applications and impact assessments, while international cooperation, such as the Atlantic Declaration and the EU-WHO digital health partnership, fosters innovation and privacy-enhancing technologies. Meanwhile, enforcement actions like FTC’s case against genetic testing company 1Health and ransomware attacks on biotech firms like Enzo Biochem underline the critical need for robust data protection measures in both regulatory and operational practices.
Regulations
Nevada Health Data Privacy Bill
The State of Nevada has adopted its own Health Data Privacy Act which will be effective March 31, 2024. This Act was modeled after Washington's My Health Data Act, but unlike it, the Act doesn't carry a private right of action. The adoption of this Act shows the growing concerns about health data privacy and more generally about data privacy.
The EU Data Act Is Shaping Up
The Data Act is a legislative proposal to regulate how industrial data is accessed and shared. It concerns Business-to-Customer and Business-to-Business data-sharing. Some points are still discussed such as how to deal with trade secrets, the territorial scope, the problem of product safety and the date of application. Furthermore,Cloud providers are mandated to avoid creating barriers for users wanting to switch to a different provide.
The AI Act Is Underway With The AI Rulebook Adopted
The AI rulebook is part of the AI Act, a European legislation pertaining to Artificial Intelligence (AI).
On June 14th, changes were enacted on the text, where all propositions that hadn't been agreed upon in committee were dismissed. New and more specific duties were put forth for high-risk AI providers and the need to conduct assessments of fundamental rights impacts and environmental impact monitoring was introduced. Following this, inter-institutional discussions will be held between the EU Parliament, the EU Council of Ministers, and the European Commission. T
BioTech & MedTech
A New Framework For Data And AI Between The US And The UK
The Atlantic Declaration between the US and the UK establishes the need for a new data bridge between the two countries. The establishment of this data bridge could significantly streamline the process of data transfers for everyone involved.To achieve this, some adjustments still need to be made on both sides of the pond.
The Declaration also announces an accelerated cooperation with a focus on ensuring the safe and responsible development of the technology. The countries will also deepen the collaboration on Privacy Enhancing Technologies (PETs).
Click to read more
Clinical Test Data Of 2.5 million People Stolen From Biotech Company Enzo Biochem
Enzo Biochem experienced in April a ransomware attack that impacted 2.5 million people. Test information, names and 600 000 social security numbers were stolen. The company, upon notice of the ransomware attack, deployed containment measures such as disconnecting its systems from internet, and notified law enforcement. They are still evaluating the full cost and impact of this attack. The company confirmed in the SEC filing that this event had brought srcutiny from regulatory authorities.
The European Commission and WHO : Digital Health Partnership
The EU Commission and World Health Organization launched on June 5th a digital health partnership. “Building on the EU’s highly successful digital certification network, WHO aims to offer all WHO Member States access to an open-source digital health tool, which is based on the principles of equity, innovation, transparency and data protection and privacy,” said Dr Tedros Adhanom Ghebreyesus, WHO Director-General. “New digital health products in development aim to help people everywhere receive quality health services quickly and more effectively”.
Artificial Intelligence
Bias in AI-based Models For Medical Applications: Challenges And Mitigation Strategies
AI is increasingly used or planned to be used in healthcare from AI-augmented clinical research to algorithms for image analysis or disease prediction. While artificial intelligence holds immense potential, it also poses certain threats, such as the propensity for bias, which predominantly affects marginalized communities. AI model development stages like data collection, creation, evaluation, and clinical deployment can introduce bias. Broad data access is crucial for model training but should honor privacy norms.
G7 Data Protection Authorities Point To Key Concerns On Generative AI
The G7 Data Protection and Privacy Authorities (DPAs) met on the 20th and 21th of June in Japan to discuss key privacy and data protection topics, including the development of the concept of Data Free Flow with Trust (DFFT) and its future operationalization, emerging technologies and enhancing enforcement cooperation. Following their meeting, the G7 DPAs issued a brief on generative AI, highlighting key privacy and data protection risk areas.
Big Data
The Development Of Blockchain
The potential of blockchain technology extends into various sectors, including healthcare. This technology could facilitate a secure exchange of a patient's health records. A decentralized approach would enhance data security and enable tracking of record access, revealing who has accessed the data and who has the authority to do so. Thus Blockchain could be an answer to the conundrum between privacy, security and the need to share the data with all interested parties.
Click to read more
Data Privacy Enforcement
PRHC Reaches $988K Proposed Settlement For Patient Privacy Breaches In 2011-2012
The Peterborough Regional Health Centre (Canada) proposed a settlement of $988,550 in a class-action lawsuit relating to patient health records being wrongfully accessed by former employees in 2011-2012. Approximately 280 patients were affected by these patient privacy beaches where their personal information was inappropriately accessed. This demonstrates the importance of implementing a robust policy for access control, otherwise, adverse effects may ensue.
Click to read more
FTC Against Genetic Testing Company 1Health
The Federal Trade Commission (FTC) issued an administrative complaint against the genetic testing firm 1Health.io as it left sensitive genetic and health data unsecured, deceived consumers about their ability to get their data deleted, and changed its privacy policy retroactively without adequately notifying and obtaining consent from consumers whose data the company had already collected. The FTC proposed a settlement which includes DNA deletion requirements, the prohibition of sharing health data with third parties and $75,000 as consumer refunds.
Sign up for our newsletter
We like to keep our readers up to date on complex regulatory issues, the latest industry trends and updated guidelines to help you to solve a problem or make an informed decision.
Newsletter #24
April brought major updates in data transfer, AI regulation, and healthtech innovation—including EU adequacy extensions, new AI tools, and iliomad’s Advisory Board launch.
Newsletter #23
Regulators in Europe and the UK advance AI governance, data protection, and cybersecurity, while healthtech innovations like Owkin and Apple reshape digital healthcare.
Newsletter #22
In this edition, we cover major regulatory shifts and AI advancements shaping healthcare and data security. The U.S. tightens HIPAA security rules, the EU rolls out the European Health Data Space (EHDS) for cross-border health data exchange, and new U.S. regulations restrict sensitive health data transfers to certain countries. Meanwhile, AI is revolutionizing healthcare, with Truveta’s 10M-volunteer Genome Project, Owkin’s AI-powered drug development, and AI-driven medical scribes making waves—though accuracy concerns remain. On the data privacy front, GDPR fines have soared to €5.88B, with Ireland leading at €3.5B, and the UK ICO reports 36K data complaints and £1.27M in fines, highlighting ongoing challenges in digital security.
