Oklahoma enacted a new law amending its data breach notification statute, introducing significant changes to how entities must respond to data breaches involving personal information.
What happened
Senate Bill 626, which takes effect on January 1, 2026, broadens the definition of personal information and requires any organization that experiences a breach affecting 500 or more state residents (or 1,000 or more if involving a credit bureau system) to notify the Oklahoma Attorney General. Notifications to affected individuals must be sent without unreasonable delay, and the Attorney General must be informed within 60 days of those notifications being mailed. The law requires that notices include the date of the breach, when it was discovered, the nature of the breach, types of information compromised, number of residents affected, safeguards in place, and any estimated financial impact.
Additional protections were added, such as including biometric data and electronic identifiers in the definition of personal information. Entities that comply with HIPAA, the Oklahoma Hospital Cybersecurity Protection Act, or the Gramm-Leach-Bliley Act (GLBA) are deemed compliant if they notify the Attorney General within the specified timeframe. The law also offers civil penalty protection, up to $150,000 per breach, for entities that implement reasonable safeguards like risk assessments, layered security, employee training, and incident response plans.
What was said
The Bill Summary of the floor analysis notes, “The floor amendment for SB626 corrects a error and deletes a provision that would have allowed the Attorney General to promulgate rules on the security breach notification process. As amended, the measure expands the definition of personal information within the Security Breach Notification Act and requires any individual or entity that owns or licenses computerized data that includes personal information to provide notice of a security breach to the Attorney General. A single security breach that affects less than 500 residents of the state is exempt from the notice requirement. A breach of a security system maintained by a credit union where fewer than 1000 residents are affected is also exempt from the notice requirement.”
Why it matters
The bill acknowledges HIPAA compliance as a baseline for acceptable data protection, stating that covered entities under HIPAA, the Oklahoma Hospital Cybersecurity Protection Act, or the GLBA will be considered compliant with the new state law. This integration reduces the risk of regulatory duplication and tightens accountability at the state level. For healthcare organizations, the bill creates an additional reporting layer beyond federal HIPAA requirements.
Although HIPAA already mandates breach notification to the Department of Health and Human Services and affected individuals, Senate Bill 626 adds the obligation to report specific details, like breach nature, scope, and financial impact, to the state Attorney General when Oklahoma residents are involved. The inclusion of biometric and electronic financial data in the definition of personal information expands the range of incidents that could trigger reporting obligations.
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What is the HIPAA Breach Notification Rule?
The HIPAA Breach Notification Rule requires covered entities and their business associates to notify affected individuals, the HHS, and sometimes the media, when there is a breach of unsecured protected health information (PHI).
What qualifies as a breach under HIPAA?
A breach is the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the privacy or security of the information.
When must notifications be issued?
Covered entities must issue notifications without unreasonable delay and no later than 60 calendar days after discovering the breach.
Kirsten Peremore
