Effective October 1, 2019, organizations providing health insurance and related services must notify the Maryland Insurance Administration as part of its breach notification requirements.
In August 2019, the Maryland Insurance Administration issued Bulletin 19-14 informing insurers, nonprofit health plans, HMOs, managed care organizations, managed general agents and third party administrators of a new notice requirement for data breaches.
After an incident, once the regulated company conducts the investigation required by the state's existing data breach law, the new rule requires that regulated entity to also send notice to the Maryland insurance commissioner if the breach of security "creates a likelihood that personal information has been or will be misused". The notice must be sent to the commissioner at the same time as the notice submitted to the Maryland AG. The notification must include 1) a description of the security breach, 2) a copy of any consumer notifications, and 3) a copy of the notice sent to the Maryland AG. An online form can be used to submit the notice.
October looks to be a busy month for new breach notification obligations in Maryland. We previously reported on the other amendment happening next month.
Putting it into Practice: If your organization provides health insurance and related services, now is the time to update your nationwide breach notice plan to address this additional notification requirement. Maryland is not the only state to have requirements specific to insurance companies or to require notification to an insurance commissioner. Connecticut, Ohio, New Hampshire, and Washington do as well (among others).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.