Wyoming Healthcare Data Breach Notification Law: Requirements and Deadlines for Providers
Overview of Wyoming Breach Notification Law
Wyoming’s breach notification framework sits in Title 40, Chapter 12 (often referred to as the Wyoming Consumer Protection Act) and specifically spans Wyo. Stat. §§ 40-12-501 to 40-12-509. For healthcare organizations, the statute requires a prompt investigation after discovery of a cybersecurity incident and individual notice if misuse of personal identifying information has occurred or is reasonably likely to occur. Notice must be provided in the most expedient time possible and without unreasonable delay. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
The law applies to any individual or commercial entity that conducts business in Wyoming and owns or licenses computerized data on residents. It also captures vendors that maintain such data for others, requiring rapid disclosure to the data owner and coordination on who sends consumer notices. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Definition of Personal Identifying Information
Wyoming defines “personal identifying information” (PII) for breach purposes as a resident’s first name or first initial and last name in combination with one or more data elements cross‑referenced from W.S. 6-3-901(b)(iii)–(xiv) when the elements are not redacted. This cross‑reference excludes categories (i) and (ii) in that criminal statute (address and telephone number) from triggering breach notice on their own. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Data elements that trigger notification
- Social Security number.
- Driver’s license number.
- Account, credit, or debit card number with any required security or access code or password.
- Tribal identification card.
- Federal or state government‑issued identification card.
- Shared secrets or security tokens used for data-based authentication.
- Username or email address with a password or security question/answer permitting account access.
- Birth or marriage certificate.
- Medical information (history, condition, treatment, or diagnosis by a health care professional).
- Health insurance information (policy/subscriber numbers, unique identifiers, application/claims history).
- Unique biometric data used for authentication.
- Individual taxpayer identification number.
These elements are enumerated in W.S. 6-3-901(b) and incorporated by reference into the breach statute’s PII definition at W.S. 40-12-501(a)(vii). ([wyoleg.gov](https://wyoleg.gov/statutes/compress/title06.pdf))
Notification Requirements for Healthcare Providers
Who must notify and when
- Conduct a reasonable and prompt investigation upon discovering a potential breach.
- If misuse has occurred or is reasonably likely, notify each affected Wyoming resident as soon as possible, in the most expedient time possible and without unreasonable delay.
- If a vendor maintains the data, it must promptly inform the data owner; the parties may agree who will notify residents. If no agreement is reached, the entity with the direct business relationship with the resident must notify. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
How to notify
- Acceptable methods: written notice, email notice, or substitute notice if thresholds are met.
- Substitute notice is permitted if: (a) notice costs would exceed $10,000 for Wyoming‑based entities (or $250,000 for entities operating in Wyoming but based elsewhere); or (b) the affected class exceeds 10,000 residents for Wyoming‑based entities (or 500,000 otherwise); or (c) contact information is insufficient. Substitute notice must include conspicuous website posting and notice to major statewide media, with a toll‑free number for residents to check if their data was involved. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
What the notice must include
- A toll‑free number to reach you (or your agent) and a toll‑free resource where the individual can obtain the contact details for the major credit reporting agencies (Credit Reporting Agency Notification content).
- The types of personal identifying information involved.
- A general description of the incident and the approximate breach date (if reasonably determinable).
- In general terms, the actions you have taken to protect the system from further breaches.
- Advice directing the person to remain vigilant by reviewing account statements and monitoring credit reports.
- Whether notification was delayed due to a law enforcement investigation, if reasonably determinable at the time of notice. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Notification Timeline and Deadlines
Wyoming does not impose a fixed-day deadline. Instead, you must notify affected residents “as soon as possible” and “in the most expedient time possible and without unreasonable delay,” taking into account law enforcement needs, scoping the incident, and restoring system integrity (Breach Notification Timelines). ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Law Enforcement Delay Provisions: You may delay notice if a law enforcement agency determines in writing that notice would seriously impede a criminal investigation; notification occurs once the agency indicates it will no longer be impeded. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Penalties for Non-Compliance
The statute authorizes the Wyoming Attorney General to bring an action in law or equity to address violations of the breach-notification section, seek other relief as appropriate to ensure compliance, and recover damages. The law does not set a specific per‑violation dollar amount for failing to notify; remedies are case‑dependent (Civil Penalties). ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Separately, Article 5 also contains explicit civil remedies for security-freeze violations by consumer reporting agencies; while distinct from breach notice, it underscores that civil recovery mechanisms exist within the same statutory article. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Wyoming does not require providers to file breach notices with the Attorney General, and enforcement of non‑compliance is handled by the Attorney General rather than through a private right of action under this statute. ([mintz.com](https://www.mintz.com/mintz-matrix/wyoming))
Intersection with HIPAA Regulations
Wyoming expressly recognizes that a HIPAA covered entity or business associate that complies with the HIPAA Breach Notification Rule (45 C.F.R. Parts 160 and 164) is deemed compliant with Wyoming’s breach notice section for notices to affected Wyoming customers or entities (Protected Health Information). ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Under HIPAA, individual notifications must be provided without unreasonable delay and no later than 60 calendar days after discovery; large breaches also trigger media and HHS reporting. Aligning your HIPAA timeline with Wyoming’s “as soon as possible” standard will satisfy both regimes. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
Best Practices for Compliance
- Build an incident response playbook that maps Wyoming requirements, HIPAA 60‑day milestones, and decision points for substitute notice.
- Maintain a current data map of systems holding PII/PHI and document risk‑of‑misuse assessments to support the harm threshold analysis.
- Pre‑draft notification templates that include all Wyoming‑mandated content (including Credit Reporting Agency contact details) and HIPAA elements.
- Embed vendor and business associate contract terms requiring rapid breach reporting, cooperation on forensic scoping, and clarity on who will send notices.
- Encrypt sensitive data at rest and in transit and implement strong credential management to reduce breach‑triggering events.
- Run tabletop exercises with legal, privacy, compliance, IT/security, and communications teams to validate timelines and approvals.
FAQs
What information triggers notification under Wyoming law?
Notification is triggered when a resident’s first name or first initial and last name are involved with one or more of the following unredacted data elements: SSN; driver’s license; financial account numbers with required access codes; tribal, federal, or state ID; shared secrets/security tokens; username or email with password or security Q&A; birth or marriage certificate; medical information; health insurance information; unique biometric data; or an individual taxpayer identification number. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
What are the deadlines for notifying affected individuals?
Wyoming sets no fixed day count. You must notify “as soon as possible,” in the most expedient time possible and without unreasonable delay, considering law enforcement needs, scoping, and system restoration. If you are a HIPAA covered entity or business associate, HIPAA also requires notice without unreasonable delay and no later than 60 days after discovery. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Are healthcare providers required to notify the Wyoming Attorney General?
No. The statute does not require filing a breach notice with the Attorney General. However, the Attorney General may enforce the law and bring actions to ensure compliance or recover damages for violations of the breach‑notification section. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
How does Wyoming law interact with HIPAA breach notification requirements?
Wyoming deems HIPAA-compliant notifications by covered entities and business associates to be compliant with W.S. 40-12-502. Practically, meeting HIPAA’s content and 60‑day timing obligations will also satisfy Wyoming’s requirements for notifying affected Wyoming residents. ([wyoleg.gov](https://www.wyoleg.gov/statutes/compress/title40.pdf))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.