Washington State Healthcare Data Breach Notification Law: Requirements and Deadlines

If you handle patient or health-plan data in Washington, you must follow the state’s security breach notification rules alongside any federal healthcare data privacy duties. This guide explains the requirements and deadlines that apply to healthcare-related personal information exposure under Washington law. It is general information, not legal advice.

Notification Timing Requirements

Washington requires prompt security breach notification to affected residents. As of May 13, 2026, you must notify impacted Washington residents without unreasonable delay and no later than 30 calendar days after discovering a breach of personal information. This 30-day outside limit applies to both electronic and paper records.

Law enforcement may request a temporary delay if notification would impede an investigation. Document any such request and be prepared to send notices immediately when the restriction lifts. If a third-party vendor suffers the incident, the vendor must alert the data owner without delay so the owner can meet the state’s 30‑day deadline.

Healthcare entities subject to HIPAA must still account for Washington timelines. When state and federal rules both apply, follow both and meet the strictest standard—typically Washington’s 30-day clock for residents—while also meeting HIPAA’s separate federal timing obligations.

Notification Content for Affected Individuals

Notices to individuals must be clear, conspicuous, and in plain language. To comply with Washington’s security breach notification requirements—and to serve patients well—include:

• Who is notifying: your organization’s legal name and contact information (address, email, and phone).
• What happened: a concise description of the event and how the personal information exposure occurred, if known.
• When it happened: the date(s) of the breach and date of discovery, or a time frame if exact dates are unknown.
• What information was involved: list the categories of personal information (for example, medical information, health insurance policy or subscriber numbers, Social Security numbers, driver license/ID numbers, biometric data, account numbers plus access codes, or usernames/emails with passwords or security answers).
• What you are doing: the steps taken for data breach containment and to protect individuals going forward.
• What individuals should do: practical steps to reduce risk (see Protective Measures for Users below).
• If credentials were exposed: clear instructions to promptly change passwords and security questions for the affected account and any reused credentials.
• If SSNs or ID numbers were exposed: how to place fraud alerts or credit freezes and where to reach the nationwide consumer reporting agencies.

Notification to Attorney General

You must provide Attorney General Notification when a breach affects 500 or more Washington residents. Send this notice without unreasonable delay and no later than 30 calendar days after discovery.

What the Attorney General notice should include

• Your organization’s name and a designated contact person.
• The types of personal information involved (e.g., medical information, health insurance identifiers, account credentials).
• The date(s) or time frame of the breach and the date discovered.
• The number of Washington residents affected (actual or best estimate).
• A brief description of the incident and the method(s) of individual notification.
• A copy of the individual notice (with personal details redacted).
• Whether law enforcement requested a delay in consumer notification.

Submit updated information if material facts change after your initial filing. Maintain records of all notices sent and the dates they were delivered.

Compliance with RCW Laws

Two Washington statutes govern data breach duties: RCW 19.255.010 (persons and businesses, including healthcare organizations) and RCW 42.56.590 (state and local agencies). Both require notification after unauthorized acquisition of personal information that compromises its security, confidentiality, or integrity.

Personal information covered

Washington’s definition is broad and specifically relevant to healthcare data privacy. It includes a name (or first initial) plus last name combined with one or more of the following, among others: Social Security number; driver license or Washington identification card number; financial account or card numbers with security codes/passwords; full date of birth; passport, military, or student ID numbers; medical information; health insurance policy or subscriber numbers and related identifiers; biometric data; and a username or email in combination with a password or security answers that permit account access.

Encryption and safe harbor

Encrypted data typically does not trigger notice if the encryption key or security credential was not also acquired. Treat hashing or redaction carefully—only strong, industry-accepted methods may qualify as rendering the data unusable, unreadable, or indecipherable.

Vendors and service providers

Third-party processors must notify the data owner without unreasonable delay after confirming a breach. The data owner remains responsible for resident and Attorney General notifications under RCW 19.255.010 and RCW 42.56.590.

HIPAA coordination

Covered entities and business associates should align RCW compliance with HIPAA’s breach notification rule. Provide all state-required elements and meet Washington’s 30-day resident and Attorney General deadlines, while separately meeting HIPAA’s federal timelines and content requirements.

Protective Measures for Users

Give individuals concrete steps to reduce harm from personal information exposure, especially when healthcare or identity data is involved:

• Monitor medical bills and Explanation of Benefits for unfamiliar services; dispute suspicious claims promptly.
• Request new health insurance cards or subscriber numbers if those identifiers were exposed.
• Change passwords and security answers; enable multi-factor authentication on all important accounts.
• Place a fraud alert or credit freeze with the nationwide consumer reporting agencies; review credit reports regularly.
• Watch for phishing attempts that reference the breach; never share one-time codes.
• Consider identity-theft protection or credit monitoring if offered.

Reporting Thresholds

• Individuals: Notify each affected Washington resident—no minimum count threshold.
• Attorney General: Notify when 500 or more Washington residents are affected, within 30 calendar days of discovery.
• Consumer reporting agencies: If you notify 1,000 or more Washington residents at one time, also notify the nationwide consumer reporting agencies of the timing and content of the consumer notice.
• Vendors: Service providers must alert the data owner without delay so the owner can satisfy state deadlines.
• HIPAA overlay (healthcare organizations): Separate federal notices to HHS (and, in some cases, prominent media) may be required when a breach involves 500 or more individuals; these are in addition to Washington obligations.

Steps for Containment and Reporting

Immediate containment and investigation

• Activate your incident response plan; isolate affected systems and disable compromised accounts.
• Preserve logs, images, and evidence; engage forensics and outside counsel early.
• Determine what data was accessed, acquired, or exfiltrated and which Washington residents are implicated.

Notification readiness

• Map applicable laws (RCW 19.255.010, RCW 42.56.590, and HIPAA, if applicable) and set the Washington 30-day deadline from discovery.
• Draft plain-language notices; prepare mailing/email lists and call-center scripts.
• Assemble the Attorney General submission package, including the redacted consumer notice and affected-resident count.

Remediation and support

• Force password resets and enable multi-factor authentication; rotate keys and tokens.
• Patch vulnerabilities; harden endpoints and network segmentation; enhance monitoring.
• Offer identity protection when appropriate; train staff on phishing patterns used in the incident.

Documentation and lessons learned

• Maintain a complete record of decisions, timelines, and notices sent.
• Update your risk assessments, vendor requirements, data maps, and playbooks to prevent recurrence.

Conclusion

For healthcare-related incidents in Washington, move fast, investigate thoroughly, and deliver complete notices to residents within 30 days while notifying the Attorney General when thresholds are met. Align RCW requirements with HIPAA, prioritize data breach containment, and equip affected individuals with clear, practical protections.

FAQs

What is the deadline for notifying affected individuals under Washington data breach law?

You must notify impacted Washington residents without unreasonable delay and no later than 30 calendar days after discovering the breach. If law enforcement requests a delay to avoid impeding an investigation, send notices as soon as that restriction ends.

How do you notify the Attorney General of a breach?

If a breach affects 500 or more Washington residents, submit an Attorney General Notification within 30 calendar days of discovery. Include contact details, incident timing, types of data involved, the number of affected residents, and a redacted copy of the consumer notice. Update the filing if material facts change.

What information must be included in breach notifications?

Individual notices should identify your organization, describe what happened and when, specify what categories of personal information were involved (e.g., medical information, health insurance identifiers, SSNs, credentials), outline containment steps, and provide concrete actions individuals can take. Include credential-reset guidance for username/password exposures and credit reporting agency information if SSNs or ID numbers were impacted.

What actions should affected individuals take after a breach?

They should review medical and insurance activity for unfamiliar charges, request new insurance identifiers if exposed, change passwords and enable multi-factor authentication, place a fraud alert or credit freeze, monitor credit reports, and stay alert to phishing attempts referencing the breach.