In an interesting turn of events, the Insurance Commissioner of the State of Connecticut is now requiring that they be notified any of the entities that they regulate, which includes many members of the healthcare ecosystem who also need to comply with HIPAA/HITECH data breach regulations. Their Bulletin IC-25 requires that they be notified within 5 days of the identification of a potential data breach incident.
The involvement of insurance authorities in data security incident definition and notification further complicates the maze of laws and regulations faced by healthcare and other organizations that maintain personal information on patients, policyholders and clients, including protected health information (PHI). For instance, in this case, even encrypted data loss will require notification of the Insurance Commissioner, as will the loss of paper files.
They also indicate that: “Depending on the type of incident and information involved, the Department will also want to have discussions regarding the level of credit monitoring and insurance protection which the Department will require to be offered to affected consumers and for what period of time.”