Washington updated its breach notifications laws and this news includes healthcare Covered Entities (CE) and Business Associates (BA). CE and BA now have 30 days to begin notifying data breach victims; additionally, the Attorney General must also be notified within 30 days and without reasonable delay.
This new law includes information affected as a combination of name with birth date, health insurance identification numbers, medical history, student identification, military identification, passports, information system credentials, biometrics and electronic signatures. Breached organizations must list the information breached in their notification letter.
This is Washington State's second new consumer privacy-based law in two years.