Wisconsin Healthcare Data Breach Notification Law: Requirements and Deadlines (2026)

Covered Entities and Definitions

Who the law covers

Wisconsin’s breach notification law applies to any entity (a business or organization other than an individual) that conducts business in Wisconsin, licenses or stores personal information about Wisconsin residents, maintains depository accounts for residents, or lends to Wisconsin residents. It also covers state agencies and local governments. Out-of-state organizations must notify Wisconsin residents if their personal information was involved.

What counts as personal information

Personal information means a person’s name (last name plus first name or first initial) linked with any of the following, if the element is not publicly available and is not encrypted, redacted, or otherwise unreadable:

• Social Security number.
• Driver’s license or state ID number.
• Financial account or credit/debit card number, or any security/access code or password that permits account access.
• DNA profile.
• Unique biometric data (for example, fingerprint, voiceprint, retina or iris image, or another unique physical representation).

Encryption and proper redaction function as a safe harbor: if data are unreadable, they are not “personal information” for notification purposes.

Trigger: unauthorized acquisition and risk threshold

The duty to notify arises when there is an unauthorized acquisition of personal information—meaning someone not authorized obtained it. Notification is not required if the acquisition does not create a material risk of identity theft or fraud, or if an employee or agent acquired the data in good faith for a lawful purpose and did not misuse it.

Notification Requirements and Timelines

Notification deadline

You must notify affected individuals within a reasonable time, not to exceed 45 days, after learning of the unauthorized acquisition. Reasonableness accounts for the number of notices you must send and the communication channels available. Treat the 45-day limit as a firm outside boundary.

Law enforcement delay

If a law enforcement agency requests a delay to protect an investigation or homeland security, you must postpone notice until the agency authorizes you to proceed.

Third parties that store data

If you store personal information for someone else and do not own or license it—and you lack a contract that addresses incidents—you must notify the data owner or licensor as soon as practicable after discovery so they can notify affected individuals.

What the notice must include

Your notice must make clear that you know an unauthorized acquisition of personal information pertaining to the individual occurred. Upon written request from a notified person, you must identify the specific personal information that was acquired.

Healthcare-specific timing

HIPAA-covered healthcare entities follow HIPAA’s breach notification rule: notify affected individuals without unreasonable delay and no later than 60 days after discovery. Healthcare organizations not covered by HIPAA must follow Wisconsin’s 45-day notification deadline.

Methods of Notification and Substitute Notice

Primary delivery methods

Provide notice by mail or by a method you have previously used to communicate with the individual (for example, email if you have used email with that person before). Choose a channel that the recipient will reasonably see and act on.

Substitute notice methods

If you cannot, with reasonable diligence, determine a mailing address and have never communicated with the person before, use a method reasonably calculated to provide actual notice. Appropriate substitute notice methods may include announcements via newspaper, television, or radio. Document your selection and why it was the most effective way to reach affected individuals.

Notification to Consumer Reporting Agencies

When agency notice is required

If a single incident requires you to notify 1,000 or more individuals, you must, without unreasonable delay, notify all nationwide consumer reporting agencies. Provide the timing, distribution, and content of the notices you are sending to individuals.

Exemptions for Financial and HIPAA Entities

Financial institutions and GLBA-aligned entities

Entities subject to, and in compliance with, the Gramm–Leach–Bliley Act’s privacy and security requirements (15 U.S.C. §§ 6801–6827) are exempt. The exemption also extends to persons under contract with such entities if they maintain a security breach policy.

HIPAA-covered entities

Entities described in 45 C.F.R. § 164.104(a)—including most health plans, healthcare clearinghouses, and healthcare providers that transmit health information electronically—are exempt from Wisconsin’s breach statute if they comply with HIPAA Part 164. In practice, that means following HIPAA’s 60‑day notification timeline, notifying HHS, and, if 500 or more residents of a state or jurisdiction are affected, providing media notice for that area.

Enforcement and Penalties

How Wisconsin treats violations

Wisconsin’s breach notification statute does not require reporting to a state agency and does not specify a schedule of civil penalties. It also states that a violation is not, by itself, negligence or a breach of duty; however, failure to comply may be used as evidence of negligence or breach in litigation.

Role of the Wisconsin Attorney General

The Wisconsin Attorney General may investigate consumer protection issues under other state laws. While the breach statute itself lacks an explicit enforcement provision, noncompliance can still draw scrutiny and lead to injunctions, restitution, or civil penalties under other consumer protection statutes when applicable. Treat the 45‑day notification deadline and other requirements as mandatory to minimize legal and regulatory exposure.

Bottom line: Determine whether HIPAA or Wisconsin’s breach law governs your incident, assess material risk promptly, meet the applicable notification deadline (45 days under Wisconsin law; 60 days under HIPAA), and use approved delivery methods—including substitute notice methods when necessary.

FAQs.

What entities are covered under Wisconsin breach notification law?

The law covers businesses and organizations (other than individuals) that do business in Wisconsin or hold, license, or maintain personal information about Wisconsin residents. It also covers Wisconsin state and local government bodies, and it applies to out‑of‑state entities when Wisconsin residents’ data is involved.

What information requires notification upon breach?

Notification is required when a person’s name is linked with any of these elements and the data are not encrypted or otherwise unreadable: Social Security number; driver’s license or state ID number; financial account or card number (or any access code or password that permits account access); DNA profile; or unique biometric data such as a fingerprint, voiceprint, or retina/iris image.

How soon must notifications be sent after a breach is discovered?

Under Wisconsin law, you must notify affected individuals within a reasonable time not to exceed 45 days after learning of the unauthorized acquisition. HIPAA‑covered entities must notify individuals without unreasonable delay and in no case later than 60 days after discovery.

Are healthcare providers exempt from this law?

Healthcare providers that are HIPAA‑covered entities are exempt from Wisconsin’s breach statute if they comply with HIPAA’s requirements (including the 60‑day timeline, HHS reporting, and media notice for large breaches). Healthcare organizations not covered by HIPAA must follow Wisconsin’s 45‑day rule.

What penalties apply for non-compliance?

Wisconsin’s breach statute does not contain explicit civil penalties or a private right of action, and a violation is not automatically negligence. However, noncompliance may be used as evidence of negligence in lawsuits and can lead to investigations or civil penalties under other Wisconsin consumer protection laws enforced by the Wisconsin Attorney General when those laws are implicated.