New Mexico Healthcare Data Breach Notification Law: Requirements, Deadlines, and Reporting Guide

New Mexico’s Data Breach Notification Act sets clear rules for when and how you must notify residents after a security incident involving Personal Identifying Information. If you operate in healthcare, you also need to understand how these state duties interact with federal requirements under the Health Insurance Portability and Accountability Act. This guide distills the scope, triggers, timelines, contents, and reporting steps you must follow.

Use it to build or refine your breach playbook so you can move quickly, meet the forty-five‑day deadline, and communicate effectively with affected residents and regulators.

Scope and Applicability

Who must comply

The law applies to any person or entity that owns or licenses elements that include Personal Identifying Information of New Mexico residents. It also reaches service providers that maintain or process such data for others. A “security breach” is the unauthorized acquisition of unencrypted computerized data (or encrypted data plus the decryption key) that compromises the security, confidentiality, or integrity of Personal Identifying Information. Good‑faith acquisition by your employee or agent for a legitimate business purpose is not a breach if there is no further unauthorized disclosure. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-2/))

Service providers and downstream duties

If you disclose Personal Identifying Information to a service provider, you must require by contract that it implement and maintain reasonable security procedures and practices. If a service provider discovers a breach of data it maintains for you, it must notify you in the most expedient time possible and no later than forty‑five calendar days after discovery (subject to delay rules noted below). ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-5/))

Definition of Personal Identifying Information

Personal Identifying Information (PII) means a resident’s first name or first initial and last name combined with one or more of the following unredacted and unencrypted elements:

• Social Security number;
• Driver’s license number;
• Government‑issued identification number;
• Account number, credit card number, or debit card number with any required security code, access code, or password that permits access to a financial account;
• Biometric data (e.g., fingerprint, voiceprint, iris/retina pattern, facial characteristics, or hand geometry used for authentication).

Publicly available information lawfully made public is excluded. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-2/))

Notification Requirements and Deadlines

Trigger and harm threshold

You must notify each New Mexico resident whose Personal Identifying Information is reasonably believed to have been subject to a security breach, unless—after an appropriate investigation—you determine the breach does not give rise to a significant risk of identity theft or fraud. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/))

Deadline and delivery methods

• Timing: Provide notice in the most expedient time possible, but no later than forty‑five calendar days after discovery of the breach (subject to allowable delays below).
• Methods: U.S. mail; electronic notice if that’s how you primarily communicate with the resident or if consistent with 15 U.S.C. § 7001 (E‑SIGN); or Substitute Notice when specific conditions are met. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/))

Notification Content and Format

Your resident notice must include the following items and be written clearly and conspicuously:

• Name and contact information of the notifying person or entity;
• Types of Personal Identifying Information reasonably believed to have been breached (if known);
• The date, estimated date, or date range of the incident (if known);
• A general description of the breach incident;
• Toll‑free telephone numbers and addresses of the major Consumer Reporting Agencies;
• Advice to review personal account statements and credit reports for errors; and
• Advice informing the consumer of their rights under the federal Fair Credit Reporting Act. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-7/))

Delayed and Substitute Notification Provisions

When you may delay notice

• Criminal Investigation Impediment: A law enforcement agency may request delay if notice would impede a criminal investigation.
• Containment and assessment: You may delay as necessary to determine the scope of the breach and restore the integrity, security, and confidentiality of your systems. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-9/))

When and how to use Substitute Notice

You may use Substitute Notice if you demonstrate one of these conditions: (1) the cost of direct notice exceeds $100,000; (2) more than 50,000 residents must be notified; or (3) you lack sufficient contact information. Substitute Notice must consist of all three actions: (a) email notice to residents with valid addresses; (b) conspicuous web posting on your site (if you have one); and (c) written notice to the Attorney General and major media outlets in New Mexico. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/))

Government Notification Obligations

If a single breach requires you to notify more than 1,000 New Mexico residents, you must also notify the Office of the Attorney General and nationwide Consumer Reporting Agencies (as defined in 15 U.S.C. § 1681a(p)) of the breach in the most expedient time possible and no later than forty‑five days, subject to delay rules. You must tell the Attorney General how many residents received notice and provide a copy of the resident notification within the same forty‑five‑day period. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-10/))

Penalties and Exemptions

Civil Penalties and enforcement

The Attorney General may seek injunctive relief and recover damages for actual costs or losses. If a violation is found to be knowing or reckless, the court may impose Civil Penalties of the greater of $25,000 or—in the case of failed notification—$10 per instance of failed notification, up to a maximum of $150,000. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-11/))

Exemptions for certain regulated entities

The Data Breach Notification Act does not apply to a person subject to the Health Insurance Portability and Accountability Act of 1996 or to a person subject to the Gramm‑Leach‑Bliley Act. State agencies and political subdivisions are also exempted from the Act. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-8/))

HIPAA interplay for healthcare organizations

Covered entities and business associates must instead follow HIPAA’s Breach Notification Rule, which generally requires notification to affected individuals without unreasonable delay and no later than sixty days after discovery, and—in larger breaches—reporting to HHS and sometimes to prominent media. Coordinate your HIPAA timeline with the state’s allowances for delayed notice when law enforcement indicates disclosure would impede an investigation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Conclusion

To comply with New Mexico Healthcare Data Breach Notification Law, confirm whether the incident involves Personal Identifying Information, assess risk of identity theft or fraud, act within forty‑five days, include all required notice elements (including Fair Credit Reporting Act advice), and notify the Attorney General and Consumer Reporting Agencies when thresholds are met. Build these rules into contracts with service providers and rehearse your plan so you can execute swiftly under pressure. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/))

FAQs

What entities are subject to New Mexico healthcare data breach notification law?

Any person or entity that owns or licenses elements including Personal Identifying Information of New Mexico residents must comply, and service providers must notify the data owner if they experience a breach. However, persons subject to the Health Insurance Portability and Accountability Act are exempt from the state Act and must instead follow HIPAA’s Breach Notification Rule. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/))

When must affected residents be notified of a breach?

Provide notice in the most expedient time possible and no later than forty‑five calendar days after discovery of the breach, unless law enforcement determines notice would impede a criminal investigation or you need time to assess scope and restore system security. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/))

What information must be included in breach notification?

Your notice must name the notifying entity, list the data types breached (if known), provide the incident date or range (if known), describe the incident, include contact details for major Consumer Reporting Agencies, advise residents to review accounts and credit reports, and inform them of their rights under the Fair Credit Reporting Act. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-7/))

Are there exceptions to notification requirements?

Yes. You need not notify if—after an appropriate investigation—you determine the breach does not present a significant risk of identity theft or fraud. HIPAA‑regulated entities are exempt from the state Act; they follow HIPAA’s separate breach rules. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-6/))

What penalties exist for noncompliance?

The Attorney General may seek injunctions and damages, and courts may impose Civil Penalties for knowing or reckless violations: the greater of $25,000 or, for failed notification, $10 per instance up to $150,000. ([law.justia.com](https://law.justia.com/codes/new-mexico/chapter-57/article-12c/section-57-12c-11/))