Governor Tom Wolf of Pennsylvania just approved Senate Bill 696. The bill broadens the definition of personal information that is covered in the Breach of Personal Information Notification Act which requires the issuance of notifications to individuals in case of a data breach. The revised law will become effective on May 2, 2023.
An individual’s medical data, health insurance details, and usernames and passwords are now included in the updated definition of personal information. Notifications need to be given when any of that data is breached together with the name of a state citizen.
Medical data is considered as individually identifiable information associated with a person’s present or past medical issues, diagnosis, or therapy that was documented by a healthcare specialist. Health insurance data consists of a health insurance policy number or subscriber number, along with an access code or details that would enable the misuse of insurance benefits of a person. Notifications should also be issued in case of breached usernames. The same is true when the password or any other data is compromised as well, for example, a security question and answer that enables access to a person’s online account.
In case of breached usernames and/or passwords, electronic notifications can be given to individuals when there exists a previous business relationship and the individual or entity has a legit email address when the notice instructions that person to immediately modify their password or similar account data for safety reasons to secure their account. Standard notifications should be mailed to the last identified residential address of the person, though telephonic notices are allowed when a person can be contacted by phone.
HIPAA-covered entities and HIPAA business associates are not covered by this bill if they are compliant with the requirements of the breach notification rule of the HIPAA.