Delaware Healthcare Breach Notification Law: Requirements, Deadlines, and Penalties

Scope of Delaware's Data Breach Notification Law

Delaware’s law applies to any person or entity that conducts business in the state and owns, licenses, or maintains computerized data containing the personal information of Delaware residents. “Breach of security” means the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information; encrypted data is excluded unless the encryption key was also, or is reasonably believed to have been, acquired. Service providers that maintain data for others must notify and cooperate with the data owner. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Healthcare context: if you are regulated by HIPAA or another sectoral law and you maintain breach procedures required by your regulator, you are deemed in compliance with Chapter 12B when you notify affected Delaware residents in accordance with those procedures. This “deemed compliance” addresses resident notices but does not displace Delaware’s state-specific duties, such as Delaware Attorney General notification thresholds and credit monitoring requirements. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Definition of Personal Information

Under Delaware law, personal information (PI) is a resident’s first name or first initial and last name in combination with any one or more of these data elements: Social Security number; driver’s license or state/federal ID number; financial account/credit/debit number with any required code or password; passport number; username or email with password or security Q&A; medical history, treatment, diagnosis, or DNA profile (personal health information); health insurance identifiers; unique biometric data used for authentication; or individual taxpayer identification number. The statute covers electronic (computerized) data. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Notification Requirements

Who must notify: owners or licensees of the affected data must notify impacted Delaware residents; maintainers must notify and cooperate with the owner/licensee. Timing: notice must be provided without unreasonable delay and no later than 60 days after determining a breach occurred. Delaware’s data breach notification timelines may be shortened if federal law requires faster notice. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Exceptions and delays: notice is not required if, after an appropriate investigation, you reasonably determine the incident is unlikely to result in harm to affected individuals. Notice may be delayed at the written request of law enforcement if it would impede an investigation. If you cannot, through reasonable diligence, identify all affected residents within 60 days, you must notify those residents as soon as practicable once identified. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Content and clarity: Delaware does not prescribe a rigid content checklist, but the Attorney General’s Consumer Protection Unit provides a model form and urges plain, accessible language for consumer notices. ([attorneygeneral.delaware.gov](https://attorneygeneral.delaware.gov/fraud/cpu/securitybreachnotification/))

Methods of Notification

Permitted methods include written notice, telephonic notice, and electronic notice. Electronic notice must satisfy E‑SIGN Act compliance (15 U.S.C. § 7001) or be consistent with your primary method of communicating with the resident. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Substitute notice provisions are permitted if the cost of individual notice exceeds $75,000, more than 100,000 Delaware residents must be notified, or you lack sufficient contact information. Substitute notice must include: (1) email notice if addresses are available, (2) conspicuous posting on your website, and (3) notice to major statewide media plus publication on your major social media platforms. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Special rule for email-account incidents: if login credentials for an email account you furnish are breached, you cannot notify the resident at that same email address; use another permitted method or a clear, conspicuous in‑account notice when the resident logs in from a customary location. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Credit Monitoring Requirement

If a breach includes a Social Security number, you must offer affected Delaware residents at least one year of free credit monitoring services, provide all information needed to enroll, and include instructions on placing a credit freeze. This obligation does not apply if, after an appropriate investigation, you reasonably determine the breach is unlikely to result in harm. Offer reputable credit monitoring services and explain how to activate them promptly. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Government Notification

Delaware Attorney General notification: if notice to more than 500 Delaware residents is required, you must also notify the Delaware Attorney General no later than the time you notify residents. The AG’s office accepts reports via an online portal or a fillable PDF form. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Healthcare-specific federal reporting

HIPAA-covered entities and business associates must also report breaches of unsecured protected health information to HHS. If 500 or more individuals are affected, you must notify HHS without unreasonable delay and in no case later than 60 calendar days from discovery; for fewer than 500 individuals, report to HHS within 60 days after the end of the calendar year in which the breach was discovered. These timelines run in parallel to Delaware’s state requirements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html))

Consumer reporting agencies: Delaware’s general breach statute does not require separate notice to consumer reporting agencies, though other laws or contractual obligations may apply. ([dwt.com](https://www.dwt.com/gcp/states/delaware))

Penalties for Non-Compliance

Enforcement: the Attorney General may bring actions to ensure compliance with Chapter 12B and to recover direct economic damages. Depending on the proceeding, civil penalties can apply under the Consumer Protection Division’s authority. In court actions, willful violations can result in civil penalties up to $10,000 per violation; in administrative proceedings, up to $5,000 per willful violation; and up to $25,000 per violation for willful violations of an order or agreement. Courts may also order restitution, injunctive relief, and other remedies. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Private lawsuits: Delaware’s general breach notification statute does not create a private right of action, but noncompliance can still lead to AG enforcement, reputational harm, and parallel exposure under other laws or contracts. ([dwt.com](https://www.dwt.com/gcp/states/delaware))

Bottom line: build a response plan that aligns HIPAA and Delaware timelines, validates risk-of-harm findings, satisfies E‑SIGN Act–compliant notice methods, implements substitute notice when justified, includes required credit monitoring services for SSN exposures, and meets the Delaware Attorney General notification trigger. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

FAQs.

What information triggers notification under Delaware law?

Notification is triggered when a breach of security involves a resident’s name plus one or more specified data elements, including Social Security numbers; driver’s license or government ID numbers; financial account data with any required code or password; passport numbers; usernames/emails with passwords or security Q&A; medical information or DNA profile; health insurance identifiers; biometric authentication data; or individual taxpayer identification numbers. Encrypted data is excluded unless the encryption key was also compromised. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

When must affected individuals be notified?

You must notify without unreasonable delay and no later than 60 days after determining a breach occurred. Notice may be delayed for law enforcement or if you reasonably determine the incident is unlikely to result in harm; if you cannot identify all affected residents within 60 days, notify additional residents as soon as practicable once identified. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

What credit monitoring is required after a breach?

If Social Security numbers are involved, you must offer at least one year of free credit monitoring services, provide enrollment information, and include instructions for placing a credit freeze. The requirement does not apply if you reasonably determine the breach is unlikely to result in harm. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))

Who must be notified if more than 500 residents are affected?

You must notify the Delaware Attorney General no later than the time you notify affected residents. In healthcare, if a breach affects 500 or more individuals, you must also notify HHS within 60 calendar days of discovery. ([delcode.delaware.gov](https://delcode.delaware.gov/title6/c012b/index.html))