Virginia Healthcare Data Breach Notification Law: Requirements, Deadlines, and Who You Must Notify

Definition of Medical Information

Virginia law distinguishes “medical information” from general personal data. Under § 32.1-127.1:05, medical information means a Virginia resident’s name (or first initial and last name) linked with details about medical or mental health history, conditions, treatment or diagnosis by a health professional, or with health insurance identifiers and related application or claims information, when the data isn’t encrypted or redacted. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1%3A05/))

The statute applies to “entities” that are public bodies or organizations supported wholly or mainly by public funds (for example, state agencies, local governments, public universities, and similar entities). Private-sector healthcare providers are typically governed by HIPAA’s rules for Personal Health Information (PHI), while public entities handling medical information fall under Virginia’s medical breach statute unless HIPAA or the FTC Health Breach Notification Rule already applies. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1%3A05/))

Notification Requirements for Breaches

When Virginia’s medical information law requires notice

If unencrypted or unredacted medical information is accessed and acquired by an unauthorized person, a covered Virginia public entity must notify, without unreasonable delay, all of the following: (1) the Office of the Attorney General, (2) the Commissioner of Health, (3) the subject of the medical information, and (4) any other affected Virginia resident. This obligation can also apply when an encryption key is compromised. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1%3A05/))

When Virginia’s personal information law requires notice

For private and public entities that own or license computerized “personal information” (e.g., name plus SSN, driver’s license number, or financial account data), notice is required when unencrypted or unredacted data is accessed and acquired and has caused or is reasonably believed will cause identity theft or other fraud. Notice must be provided to affected residents and to the Office of the Attorney General without unreasonable delay; if the encryption key was accessed, notice may still be required. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

HIPAA interplay and breach notification timelines

HIPAA’s Breach Notification Rule governs PHI held by covered entities and business associates. You must notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. If 500 or more individuals are affected, you must also notify HHS within 60 days and notify prominent media in the relevant state or jurisdiction; smaller breaches are logged and reported to HHS annually. Virginia’s medical statute expressly does not apply where HIPAA or the FTC Health Breach Notification Rule already requires breach notifications. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Content of Required Notifications

Under Virginia’s personal information statute

• A concise description of the incident in general terms.
• The types of personal information involved.
• General steps taken to protect data from further unauthorized access.
• A contact telephone number for more information.
• Advice to stay vigilant by checking account statements and monitoring free credit reports.

These elements must appear in notices required by § 18.2-186.6. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

Under Virginia’s medical information statute

• A general description of what happened.
• The types of medical information involved.
• General steps taken to protect against further unauthorized access.
• A telephone number for assistance.

These elements are specified in § 32.1-127.1:05. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1%3A05/))

Under HIPAA (PHI)

• What happened, including dates of breach and discovery (if known).
• Types of unsecured PHI involved.
• Steps individuals should take to protect themselves.
• What the organization is doing to investigate, mitigate, and prevent recurrence.
• Contact methods (toll-free phone, email, website, or postal address) and plain-language formatting.

HIPAA’s content requirements appear at 45 CFR 164.404(c). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404))

Substitute Notice Procedures

Virginia’s Substitute Notice Criteria

If direct notice is impracticable because costs exceed $50,000, the affected class exceeds 100,000 residents, or sufficient contact information/consent is lacking, Virginia permits substitute notice that includes all of the following: (1) email notice if available, (2) conspicuous posting on the entity’s website, and (3) notice to major statewide media. This framework exists in both the personal information and medical information statutes. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

HIPAA substitute notice

When contact information is insufficient or out of date, HIPAA allows substitute notice. For fewer than 10 individuals, you may use an alternative method reasonably calculated to reach them; for 10 or more, you must either post conspicuously on your homepage for 90 days or publish in major media where affected individuals likely reside, and provide a toll-free number active for at least 90 days. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.404))

Notification to Regulators and Data Owners

Office of the Attorney General notifications and Consumer Reporting Agencies

Under § 18.2-186.6, if notice to residents is required, you must also notify the Office of the Attorney General without unreasonable delay. If you notify more than 1,000 persons at one time, you must additionally notify all nationwide consumer reporting agencies of the timing, distribution, and content of the notice. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

Commissioner of Health (medical information)

Virginia’s medical information statute requires notice to the Commissioner of Health in every reportable medical-information breach and, if 1,000 or more persons are notified at once, a follow-on notice to the Commissioner (and the Attorney General) describing the timing, distribution, and content of the consumer notice. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1%3A05/))

HHS/OCR and other regulators (HIPAA and FTC)

HIPAA-covered entities and business associates must submit breach reports to HHS/OCR—within 60 days if 500+ individuals are affected, or within 60 days after the end of the calendar year for fewer-than-500. Non‑HIPAA entities handling consumer health data may be subject to the FTC Health Breach Notification Rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Notifying data owners (when you maintain but do not own the data)

If you maintain computerized data you do not own or license, Virginia law requires you to notify the owner or licensee of a breach without unreasonable delay—this applies for both personal information and medical information. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

Delay of Notification Conditions

Virginia permits reasonable delay to determine breach scope and restore system integrity. Notice may also be delayed if, after you alert law enforcement, the agency determines that notice would impede a criminal or civil investigation or harm national/homeland security; notification must occur once that risk ends. HIPAA similarly allows a documented law‑enforcement delay under 45 CFR 164.412. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

Penalties for Non-Compliance

For personal information breaches, the Virginia Office of the Attorney General may seek civil penalties up to $150,000 per breach or series of similar breaches discovered in a single investigation. Individuals may also recover direct economic damages. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

Virginia’s medical information statute does not set a specific dollar penalty. However, violations of Title 32.1 can prompt enforcement actions by the Commissioner or Attorney General, including injunctions, and in some contexts other sanctions or civil penalties under Title 32.1’s general enforcement provisions. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter1/section32.1-27/?utm_source=openai))

HIPAA enforcement is handled by HHS/OCR and can result in civil money penalties; failure to meet the 60‑day Breach Notification Timelines may be an aggravating factor. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Conclusion

In Virginia, breach response hinges on what was exposed and who you are. Public entities handling medical information must notify the Attorney General, the Commissioner of Health, and affected people without unreasonable delay, while private organizations follow § 18.2-186.6 for personal information and HIPAA for PHI. Map the data elements, apply the correct Substitute Notice Criteria, and complete all Office of the Attorney General Notifications and agency filings on time to minimize risk and potential Civil Penalties for Breach Violations. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1%3A05/))

FAQs.

What information qualifies as medical data under Virginia law?

Medical information means a name (or initial and last name) linked with medical or mental health history, conditions, treatment or diagnosis by a health professional, or with health insurance identifiers and related application/claims data, when the information is neither encrypted nor redacted. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title32.1/chapter5/section32.1-127.1%3A05/))

When must affected individuals be notified of a breach?

Virginia requires notice “without unreasonable delay” once a reportable breach is discovered. HIPAA adds a hard outer limit of 60 calendar days after discovery for PHI, plus reporting to HHS (and media for larger breaches). ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

How can notifications be delivered to comply with the law?

Virginia permits written mail, telephone, or electronic notice; if certain thresholds make direct notice impracticable, substitute notice is allowed (see below). HIPAA requires first‑class mail or email (if the individual agreed), with substitute methods when contact information is insufficient or outdated. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

When is substitute notice allowed?

In Virginia, if notification costs would exceed $50,000, if the affected class exceeds 100,000 residents, or if you lack sufficient contact information/consent, you may use substitute notice consisting of email (if available), a conspicuous website posting, and statewide media. Under HIPAA, use substitute notice when contact information is insufficient: for fewer than 10 individuals, an alternative reasonable method; for 10 or more, a 90‑day homepage posting or major media plus a toll‑free number. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))

What penalties apply for failure to notify?

For personal information breaches, the Attorney General may seek up to $150,000 per breach or series of similar breaches, and individuals may recover direct economic damages. Title 32.1 enforcement tools (e.g., injunctions, other sanctions) may apply to public entities that violate health‑related provisions. HIPAA violations can lead to civil money penalties imposed by HHS/OCR. ([law.lis.virginia.gov](https://law.lis.virginia.gov/vacode/title18.2/chapter5/section18.2-186.6/))