HIPAA Journal reminds us all that states can require notification to the state of breaches that are also covered by HIPAA and can take enforcement action if they are not reported:
Recently, there have been several instances where the California DOJ has not been notified about ransomware attacks on California healthcare facilities, even though the personal and protected health information of California residents has likely been compromised in the attack.
California Attorney General Rob Bonta has recently issued a bulletin reminding all entities that house the confidential health-related information of California residents of their data breach reporting responsibilities under California law (Civil Code section 1798.82).
Read more on HIPAA Journal.