As of Jan. 1, 2016, Oregon's Consumer Identity Theft Protection Act of 2007 will include mandatory notification for individuals whose personal health information is breached, following the passage of Senate Bill 601.
On that date, the definition of sensitive identifying information will expand to include the following.
• Biometrics
• Health insurance policy numbers
• Unique identifiers of any kind used by health insurers
• Medical information history
• Any information about mental or physical conditions
• Information about a healthcare professional's medical diagnosis or treatment of an individual
The law also requires the state attorney general be notified in the instance of a data breaches or breaches of personal information involving 250 or more individuals.