On August 29, 2019, the Maryland Insurance Administration issued new breach notification requirements for entities that provide health insurance or related services. The new requirements will apply to insurers, non-profit health plans, HMOs, third-party administrators, and certain other managed care entities. The new rules will take effect on October 1, 2019.
Under existing Maryland law, businesses that either own or license computerized data that includes the personal information of a Maryland resident are subject to breach notification requirements under certain circumstances. Upon becoming aware of a breach the business must “conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information of the individual has been or will be misused as a result of the breach.” If it determines that there is a “likelihood that personal information has been or will be misused” then it must notify affected individuals. Under existing Maryland law, business are also obliged to report such incidents to the Maryland Attorney General before notifying affected individuals.
The new rule extends the notice requirement by requiring entities in the health care space to also notify the Maryland Insurance Administration of such breaches. This obligation arises if the business “(i)conducts an investigation required under § 14–3504 . . . and determines that the breach of the security of the system creates likelihood that personal information has been or will be misused.” The notice submitted to the Insurance Administration must include a concise description of the security breach, copies of any notifications sent to consumers, and a copy of the notice sent to the Maryland Attorney General’s office.