Connecticut Healthcare Breach Notification Law: Requirements and Deadlines

Connecticut’s breach statute applies to healthcare providers and their partners when a security incident exposes “personal information” in computerized data. Below, you’ll find a clear Personal Information Definition, Breach Notification Timing rules, Attorney General Reporting duties, Credit Monitoring Obligations, the Media Notification Threshold, allowances for Law Enforcement Delay, and the Substitute Notice Policy you can use when standard notice is impracticable.

Definition of Personal Information

Under Connecticut law, “personal information” is a resident’s first name or first initial and last name combined with any one of the following data elements, when not encrypted or otherwise rendered unreadable:

• Social Security number or taxpayer identification number.
• IRS Identity Protection PIN.
• Driver’s license, state ID, passport, military ID, or other government ID commonly used to verify identity.
• Credit or debit card number.
• Financial account number with any required security or access code.
• Medical information (history, condition, treatment, or diagnosis).
• Health insurance policy or subscriber number, or unique health insurer identifier.
• Biometric identifiers (for example, fingerprint, voiceprint, retina or iris image).
• Precise geolocation data.

In addition, a user name or email address in combination with a password or security question and answer that permits access to an online account is also personal information. ([law.justia.com](https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/))

Notification Requirements and Deadlines

If you determine a breach occurred, you must notify affected Connecticut residents without unreasonable delay and no later than 60 days after discovery, unless a shorter time is required by federal law. If you identify additional residents after the 60-day mark, proceed in good faith to notify them as quickly as possible. Notification is not required if, after an appropriate investigation, you reasonably determine the breach is not likely to result in harm to the affected individuals. ([law.justia.com](https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/))

Healthcare entities subject to HIPAA must also follow the federal Breach Notification Rule, which similarly requires notice to individuals without unreasonable delay and in no case later than 60 days after discovery—aligning with Connecticut’s Breach Notification Timing. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Notification to Attorney General

You must provide notice to the Connecticut Attorney General no later than the time you notify residents. The Attorney General accepts notices via an online submission form and treats failure to meet these requirements as a violation of the Connecticut Unfair Trade Practices Act. Entities that follow their own written breach procedures or are HIPAA-compliant are deemed compliant with state notice requirements, but still must meet this Attorney General Reporting obligation and the credit-monitoring mandate described below. ([portal.ct.gov](https://portal.ct.gov/ag/general/report-a-breach-of-security-involving-computerized-data))

Identity Theft Prevention Services

If a Connecticut resident’s Social Security number or taxpayer identification number was breached or is reasonably believed to have been breached, you must offer appropriate identity theft prevention and, if applicable, identity theft mitigation services at no cost for at least 24 months. Your notice must include enrollment information and instructions on how residents can place a credit freeze—these Credit Monitoring Obligations apply to healthcare entities as well. ([law.justia.com](https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/))

Media Notification Obligations

Connecticut law does not require media notice in ordinary circumstances; however, if you use substitute notice (see below), one component is publication to major statewide media outlets. Separately, HIPAA requires covered healthcare entities to notify prominent media outlets when a breach involves more than 500 residents of a state or jurisdiction, and this media notification must occur without unreasonable delay and no later than 60 days after discovery. This is the controlling Media Notification Threshold for HIPAA-covered healthcare breaches. ([law.justia.com](https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/))

Exceptions and Delayed Notification

Law Enforcement Delay: You may delay notice for a reasonable time if a law enforcement agency determines and requests that notification would impede a criminal investigation; notice must then occur once the agency indicates it will no longer compromise the investigation. ([law.justia.com](https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/))

Other key exceptions: encrypted or otherwise unreadable data typically falls outside “breach of security,” and notification is not required if, after an appropriate investigation, you reasonably conclude the incident will not likely result in harm. Special rules apply to breaches of login credentials, including directing individuals to promptly change passwords and prohibiting notice solely to the compromised email account. ([law.justia.com](https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/))

Substitute Notice Procedures

When standard individual notice is impracticable, you may use substitute notice if you demonstrate in your Attorney General notice that one of the following is true: the cost of providing notice exceeds $250,000; the affected class exceeds 500,000 persons; or you lack sufficient contact information. Substitute Notice Policy requires all of the following: (1) email notice (if available); (2) conspicuous posting on your website (if you maintain one); and (3) notice to major statewide media, including newspapers, radio, and television. ([law.justia.com](https://law.justia.com/codes/connecticut/title-36a/chapter-669/section-36a-701b/))

FAQs

What personal information triggers notification under Connecticut law?

Notification is triggered when a resident’s name plus a specified data element (for example, SSN, TIN, government ID, payment or financial account data with access codes, medical information, health insurance identifiers, biometrics, or precise geolocation) is breached, or when login credentials (username or email with password/security answers) are compromised.

When must a healthcare breach notification be sent?

You must notify affected residents without unreasonable delay and no later than 60 days after discovering the breach; HIPAA-covered entities have the same outside limit under federal law.

Are businesses required to notify the attorney general?

Yes. Any person (including businesses and healthcare organizations) that owns, licenses, or maintains computerized data with personal information must notify the Connecticut Attorney General no later than when residents are notified.

What services must be offered if Social Security numbers are compromised?

You must provide at least 24 months of no-cost identity theft prevention and, if applicable, mitigation services, along with enrollment details and instructions for placing a credit freeze.

Summary: By aligning your incident response with Connecticut’s 60-day cap, timely Attorney General reporting, the two-year identity protection requirement for SSN/TIN breaches, HIPAA’s media rule for large healthcare incidents, and the state’s substitute notice and law enforcement delay provisions, you ensure compliance and protect affected patients effectively.