Data Points: Privacy & Data Security Blog

On February 14, 2025, New York’s Governor Hochul signed into law A.B. 920, which amended the state’s Information Security Breach and Notification Act to add personal health information to the types of data that constitute “private information” requiring notice to affected persons. Specifically, the law will add two types of personal health data to the definition of “private information”:

1. Medical information, which includes a person’s medical history, mental or physical condition, and history of past or current treatment; and,
2. Health insurance information, including insurance identification numbers and any history of a person’s insurance claims or appeals.

The changes will go into effect on March 21, 2025.  

As a quick refresher, New York’s data breach law requires a business to give notice of a data breach (specifically a “breach of the security of the system”) when it has reason to believe that computerized data of a New York resident was accessed or acquired by someone without authorization and compromises the security, confidentiality, or integrity of private information maintained by the business. “Private information” includes any combination of social security numbers, driver’s license and ID numbers, credit card and financial account numbers, online log-in information, and now medical and health insurance data. We previously covered an update to the New York data breach law, which expanded the definition of “private information,” here. The current law also requires a business to provide written notice to affected persons of the types of information that was potentially accessed, which after passage of A.B. 920, will now include the types of medical or health insurance information accessed. The law already provided hefty money penalties for non-compliance, so businesses should be aware that additional types of information must be identified if a data breach occurs and should update their breach notice templates to include the medical information covered under A.B. 920. Entities who provide notice required under HIPAA and HITECH are not required to provide additional notice to New York residents under the data breach law, but must still notify the applicable government agencies.

This amendment follows an amendment in December 2024 that added a 30-day outside time period for notice of a data breach, except when delay is warranted for the legitimate needs of law enforcement. It also added the NY Department of Financial Services to the list of entities to receive notice. The February 2025 amendment clarified that the requirement to notify the NY DFS only applies to entities covered by the NY DFS regulations. Note that the deadline for notification is shorter than that required under HIPAA, but the New York law only applies to residents of New York.

The amendment precedes the Health Information Privacy Act passed by the NY legislature on January 22, 2025, and currently awaiting Governor Hochul’s signature. The Health Information Privacy Act is based on the sweeping Washington My Health My Data Act, although the NY bill does not have a private right of action.    

These changes in NY privacy laws reflects an increased concern regarding the protection of personal health data.