The Governor of Pennsylvania, Tom Wolf, has signed Senate Bill 696 into law, which expands the definition of personal information under the Breach of Personal Information Notification Act that requires individual notifications to be issued in the event of a data breach. The updated law will take effect on May 2, 2023.

The updated definition of personal information now includes medical information, health insurance information, and usernames and passwords. Notifications must be issued if any of that information is breached along with the name of a state resident.

Medical information is classified as individually identifiable information related to an individual’s current or past medical condition, diagnosis, or treatment that has been created by a healthcare professional. Health insurance information includes a health insurance policy number or subscriber number, combined with an access code or other information that would allow the misuse of an individual’s insurance benefits. Breaches of usernames requires notifications to be sent to an individual. Notifications are also required if the password is compromised or any other information such as a security question and answer that allows an individual’s online account to be accessed.

In the case of the latter, electronic notices can now be issued to individuals if a prior commercial relationship exists and the individual or entity has a valid email address if the notice directs that individual to promptly change their password or other related account information for security reasons to protect their account. Standard notifications must be provided by mail to the last known home address of the individual, although telephonic notices are permitted if an individual can be reasonably expected to be reached by telephone.