Reporting a security breach to our office
You must report a security breach to our office within two days of discovering a breach.
Your report must include:
- The date of the incident.
- The date you discovered the breach.
- The number of customers or consumers affected.
- What actions are being taken.
Reporting to other agencies
If a breach of unsecured protected health information affects individuals, a covered entity must notify the Human and Health Services Secretary of the breach.
If a security breach affects more than 500 Washington residents, you must also notify the Attorney General's Office.
Notifying impacted individuals and entities
You must notify any individuals or entities that are impacted by the security breach within 60 days of discovering the breach.
The notifications must include:
- A brief description of what happened, including the date of the breach and when it was discovered.
- A description of the types of unsecured protected health information involved in the breach.
- Any steps individuals should take to protect themselves from potential harm resulting from the breach.
- A brief description of what you are doing to investigate the breach, mitigate harm to individuals, and to protect against future breaches.
- Contact information for individuals to ask questions or learn additional information.
Report a security breach
Note: Please DO NOT include personal health information, social security numbers or other confidential information. We will contact you if we need more information.