Daniel J. Kagan

Photo of Daniel J. Kagan

Dan Kagan is an Associate in the Health Care, Long Term Care and Privacy and Cybersecurity Groups. He represents hospitals, physicians, nursing homes, assisted living communities, CCRCs and other health care clients with a wide range of regulatory, compliance, risk management, transactional and reimbursement issues.

With regard to Privacy and Cybersecurity, Dan has experience drafting privacy policies and notices, website terms of use, written information security plans and incident response plans.  Dan counsels clients on compliance issues related to state, federal and international privacy laws including the General Data Protection Regulation (GDPR).  Dan also has experience representing both health care and non-health care clients that have suffered data breaches and assists such clients with breach response and applicable reporting obligations.  Dan writes extensively on privacy and cybersecurity issues and is a co-editor of Murtha's Privacy and Cybersecurity Perspectives blog.

As a member of the Health Care and Long Term Care groups, Dan has experience representing clients with HIPAA compliance, Stark and anti-kickback analyses, purchase and sale transactions, reviewing and drafting contracts, certificate of need requirements, rate appeals, Medicare and Medicaid audits, medical staff and credentialing matters, licensing and change of ownership proceedings.

Prior to joining Murtha Cullina, Dan clerked for the Honorable Lubbie Harper, Jr. and the Honorable Joseph H. Pellegrino of the Connecticut Appellate Court.

Dan received his J.D. with honors from the University of Connecticut School of Law where he was a Notes and Comments Editor for the Connecticut Insurance Law Journal. He earned his Bachelor of Arts in Economics from McGill University.

Connect: Daniel's Twitter Profile
Firm/Organization: Murtha Cullina LLP
Blogs: Privacy and Cybersecurity Perspectives

Latest Articles

hurricane florence 2
Hurricane Florence has caused the Department of Health and Human Services (“HHS”) to declare a public health emergency ahead of the storm.  Accordingly, HHS’ Office for Civil Rights (“OCR”) released guidance ahead of the hurricane.  The focus of the guidance is that HIPAA should not impede patient care in a disaster situation.…
On July 23, 2018, Denmark’s data protection agency announced that companies must encrypt all emails transmitting sensitive personal data.  This new rule goes into effect January 1, 2019, giving companies that do business in or with Denmark approximately five months to implement encryption technologies for their email systems.  This is a strict interpretation of Article 9 of GDPR; however, one facet of GDPR is that each European Union country can interpret and determine how companies…
HIPAA has teeth.  On June 1, 2018, an Administrative Law Judge (ALJ) ruled that the University of Texas MD Anderson Cancer Center violated HIPAA.  In doing so, the ALJ granted the Office of Civil Rights (OCR) summary judgment, requiring the hospital to fork up the $4,348,000 in civil monetary penalties imposed by OCR. …
On June 4, 2018, the Governor signed into law Public Act 18-90, An Act Concerning Security Freezes on Credit Reports, Identity Theft Prevention Services and Regulations of Credit Rating Agencies (the “Act”), likely in reaction to the Equifax breach among many others.  The title of the Act leaves little to the imagination as to its subject matter.…
The conversation surrounding the data we put online continues to heat up.  Bloomberg reports that in 2015, Twitter sold access to randomly selected tweets to Aleksandr Kogan, the individual who created the personality quiz that Cambridge Analytica then used to harvest Facebook user data.  Working under his own commercial enterprise, Global Science Research, Mr. Kogan gained access to a random sampling of five months of Twitter posts, covering the dates of December 2014 to April…
In the wake of the Facebook and Cambridge Analytica scandal, another social media company, Grindr, a gay dating app, has come under scrutiny for its sharing of sensitive personal information with third parties.  In particular, Norwegian research outfit SINTEF, after analyzing Grindr’s traffic, alleges that Grindr shares its users’ disclosed HIV status and last tested date , GPS location and other demographic profile information with third parties.…
Facebook is the subject of a recent media blitz due to the allegations that 50 million people had their information improperly disclosed to Cambridge Analytica, a data research firm that may have played a role in the 2016 election. The premise of the allegations is that Cambridge Analytica sent out a personality test to roughly 270,000 of Facebook’s users, stating that it would use the test for academic purposes.  However, allegedly, Cambridge Analytica collected the…
On February 16, 2018, the U.S. Supreme Court denied certiorari to review CareFirst’s appeal of the U.S. Court of Appeals, D.C. Circuit’s decision in Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017).  The D.C. Circuit held that the threat of harm from a data breach is enough to satisfy the “injury in fact” standing requirement.    Other circuit courts of appeal have reached the opposite conclusion.  Unfortunately, the U.S. Supreme Court will not be addressing…
On Monday, February 5, 2018, the Massachusetts Attorney General’s Office (AGO) sent an e-mail blast regarding their new online form for businesses needing to report breaches under Chapter 93H of the Massachusetts General Laws. As of February 1, 2018, the AGO has a new online form that businesses may use for reporting such breaches in lieu of sending a paper letter or e-mail to the AGO; however the AGO still allows both those reporting methods.…
Based on the decision in a recent Connecticut Supreme Court case, patients may now sue physicians for breaching confidentiality. Previously, Connecticut did not recognize breach of confidentiality as a cause of action. The unauthorized disclosure at the heart of Byrne v. Avery Center for Obstetrics and Gynecology, P.C. involved a provider’s response to a subpoena. Subpoena compliance has long been an area of confusion for providers. After Byrne, not only must providers pay special attention…