New Data Breach Notification Regulation for Health Insurers in Maryland


Beginning October 1, 2019, health insurance providers and associated services have to notify the Maryland Insurance Administration (MIA) whenever a breach of insureds’ personal information occurs.

The change in rules covers health plans, health insurance companies, HMOs, managed general agents, managed care institutions, and third-party health insurance administrators.

MIA’s Compliance & Enforcement Unit ought to be informed in case the breach investigation establishes there is a possibility of misuse of the personal information of the insured.

Personal information refers to as a person’s first name or it could be first initial and last name along with at least one of the following data elements, which are not encrypted, redacted, or unreadable:

  • Health information
  • Biometric data
  • Social Security number
  • Passport number
  • Individual Taxpayer Identification Number
  • Other federal ID numbers
  • Driver’s license number
  • State identification card number
  • Health insurance policy/certificate number
  • Health insurance subscriber identification number
  • An account number, credit or debit card number, username or e-mail address including a password/access code or security question and answer that enables account access.

According to Article §4-406 of the Annotated Code of Maryland, the covered entity should provide the notification simultaneously that notification is provided to the Maryland Office of the Attorney General. This is demanded under Subtitle 35 of the Maryland Personal Information Protection Act (§ 14–3504(h)).

Providers should send notices by mail or email by using the breach notification form available on the website of MIA. Notification letters should include the name of the company, name and contact information of the individual supplying the notification, and a short description of the situation of the data breach.

The MIA also should be provided with a copy of the breach notification letter provided to affected people and a copy of the breach notification letter mailed to the Maryland Attorney General.