breach and must also notify both the Secretary of Health and Human
               Services and the media when the breach affects more than 500

               individuals.



                  Data Breach Notification Laws


                  HITECH’s data breach notification rule is unique in that it is a
                  federal law mandating the notification of affected individuals.
                  Outside of this requirement for healthcare records, data breach

                  notification requirements vary widely from state to state.

                  In 2002, California passed SB 1386 and became the first state to
                  immediately disclose to individuals the known or suspected breach
                  of personally identifiable information. This includes unencrypted
                  copies of a person’s name in conjunction with any of the following
                  information:

                      Social Security number

                      Driver’s license number

                      State identification card number


                      Credit or debit card number

                      Bank account number in conjunction with the security code,
                      access code, or password that would permit access to the
                      account

                      Medical records

                      Health insurance information

                  In the years following SB 1386, many (but not all) other states
                  passed similar laws modeled on the California data breach

                  notification law. As of 2017, only Alabama and South Dakota do
                  not have state breach notification laws.







                             For a complete listing of state data breach notification