Starting October 1, 2019, medical insurance companies and related services must inform the Maryland Insurance Administration (MIA) in case a breach of insureds’ personal data occurs.
The change in legislation is applicable to health plans, health insurance providers, HMOs, managed general agents, managed care facilities, and third-party medical insurance administrators.
MIA’s Compliance & Enforcement Unit should be advised when the breach investigation finds there is a probability of misuse of the personal data of the insured.
Personal data is defined as somebody’s first name or it may be first initial and last name combined with at least one of these data elements, which are not redacted, encrypted or unreadable:
- Health information
- Biometric data
- Driver’s license number
- Social Security number
- Individual Taxpayer Identification Number
- Passport number
- Other federal ID number
- State identification card number
- Medical insurance policy/certificate number
- Medical insurance subscriber identification number
- An account number, debit or credit card number, e-mail address or username coupled with a password/access code or security Q&A that permits account access.
Based on Article §4-406 of the Annotated Code of Maryland, the covered entity need to give the notice concurrently that notification is given to the Maryland Office of the Attorney General. This is commanded under Subtitle 35 of the Maryland Personal Information Protection Act (§ 14–3504(h)).
Covered entities ought to send advisories by mail or email making use of the breach notification form accessible on the web page of MIA. Notices have to include the name of the entity, name and contact data of the man or woman giving the notice, and a simple description of the background of the data breach.
The MIA likewise have to be given a duplicate of the breach notification letter mailed to affected persons and a duplicate of the breach notification letter provided to the Maryland Attorney General.