In December 2024, New York Governor Kathy Hochul signed two significant bills (A8872A and S2376B) into law, majorly changing the state’s Data Breach Notification Law.
New York’s updated Data Breach Notification Law signals a stronger stance on consumer data protection, especially regarding sensitive health information. The update requires businesses to notify affected New York residents of a data breach within 30 days of discovering the incident.
This will replace the requirement to notify them "without unreasonable delay," improving response times and providing timely protection to consumers whose data may be compromised.
Healthcare providers must now report data breaches to the New York State Attorney General (NYSAG) as well as the New York State Department of Financial Services (NYSDFS).
Expanding these reporting obligations will increase oversight and allow more comprehensive cybersecurity monitoring.
Starting March 21, 2025, the definition of "private information" will expand to include medical and health insurance data. This change will particularly affect life sciences and consumer healthcare companies not covered by HIPAA which will now face new notification requirements and potential legal exposure.
Healthcare providers already subject to the Health Insurance Portability and Accountability Act (HIPAA) must continue following federal guidelines, which require breach notifications within 60 days. However, these entities must now also comply with New York’s expanded reporting obligations, notifying the NYSAG and the NYSDFS.
Life sciences companies, wellness startups, and consumer healthcare organizations not regulated under HIPAA now face increased legal and compliance risks. These entities must implement processes to meet the 30-day notification timeline and report breaches to the newly included state agencies. The expanded definition of private information directly impacts how these companies handle data breaches involving medical and health insurance data.
Healthcare providers must improve their data protection strategies through encryption, performing regular security assessments, and ensuring all employees are trained on data security protocols.
The N.Y. State Assembly’s Memorandum in Support of Legislation stated, “There seems to be a broad sense of uncertainty by experts and lawmakers as to which federal regulations, if any, is charged with the responsibility to monitor and do regular supervision on cybersecurity.
Thus, it is time for New York State to lead on this issue… To this end, this legislation provides a clear consumer protection mandate that will aggressively protect consumers by mandating timely disclosure of data breaches by credit reporting agencies.”
Furthermore, non-compliance could lead to severe legal consequences, financial penalties, and reputational damage.
For healthcare providers, failing to meet the 30-day notification deadline or properly report breaches can undermine patient trust and invite regulatory scrutiny.
HIPAA compliance refers to adhering to regulations outlined in the Health Insurance Portability and Accountability Act to safeguard patients’ protected health information (PHI).
Go deeper:
A covered entity, as defined by HIPAA, is any healthcare provider, health plan, or healthcare clearinghouse that transmits any electronic health information.
Read also: When is a non-healthcare company a covered entity?
To report a HIPAA breach, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach.
They must also notify the Secretary of Health and Human Services (HHS) immediately if the breach impacts 500 or more individuals, or annually for smaller breaches.
Additionally, if the breach affects over 500 residents in a state or jurisdiction, media notification is required.