Connecticut advances breach bill for incidents affecting 100,000 people

Connecticut lawmakers introduced Raised S.B. 117, a 2026 bill that would revise the state’s existing data breach law, Conn. Gen. Stat. § 36a-701b, by creating a new category called a massive breach of security.

What happened

Under the bill, the term would mean a breach involving the personal information of at least 100,000 Connecticut residents. For those large incidents, the proposal would require the affected entity to arrange a third-party forensic examination, analysis, and report and submit that report to the Connecticut Attorney General within 90 days after discovering the breach.

The bill would also let the Attorney General hire a forensic investigator directly if an entity does not comply, with the cost billed to the entity, and it would impose a civil penalty structure that reaches up to $500,000, with a lower cap for small businesses. The bill has entered the formal legislative process but has not yet become law.

In the know

Raised S.B. 117 was introduced by Connecticut’s General Law Committee, led in 2026 by co-chairs James J. Maroney and Roland J. Lemar. It was formally referred on February 10, 2026, and received a public hearing on February 18, 2026. With state cybersecurity legislation expanding, states like California host a stricter health-sector reporting regime. The legislation is sector-specific, though, and not the same as S.B. 117, which has a unique general statewide forensic-report mandate tied to a massive breach threshold not seen in other states.

What was said

The Connecticut Hospital Association testimony notes, “There is an implication in the bill, in part through the use of the term 'massive breach of security,' that a business that makes the report is automatically guilty of an offense. That is not the case and should not be the law. We live in a world full of bad actors who find new ways to breach sources of data. No cybersecurity system is immune to possible intrusion, even if state-of-the-art precautions are taken.”

What happens next

After its February 18, 2026, public hearing, Raised S.B. 117 still needs action from Connecticut’s General Law Committee before it can move to the House or Senate for debate and a vote. If the bill advances, healthcare organizations will be watching closely. Large hospitals, insurers, and vendors are among the entities most likely to face extra scrutiny, tighter timelines, and potentially expensive forensic reporting after a major breach.

That matters because the burden does not end with notification. As a Digital Health study puts it, “Higher information technology labor investment due to the remediation of data breaches is an added cost to the healthcare system.”

Why it matters

The bill defines a breach of security as unauthorized access to, or unauthorized acquisition of, electronic data containing personal information, which matters for hospitals, clinics, and health systems because they routinely hold medical, insurance, and billing data at scale.

The Act document offers the extent to which it will impact healthcare organizations, “Any person who is subject to, and in compliance with, the privacy and security standards under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act…medical information regarding an individual's medical history, mental or physical condition or medical treatment or diagnosis by a health care professional…”

Connecticut Hospital Association testimony warns that HIPAA-covered entities would no longer be able to rely on the current copy-to-the-Attorney-General approach and instead would face a new mandatory process requiring an immediate third-party forensic review and a report within 90 days for a massive breach affecting more than 100,000 residents.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is different about this bill?

The main change is a new category called a massive breach of security. For those incidents, the bill would require a third-party forensic examination and a detailed forensic report to the Attorney General. That goes beyond ordinary breach notification.

Would this create new costs for healthcare organizations?

Yes. The bill says the affected entity must bear the cost of the forensic examination, analysis, and report. It also adds civil penalties for failing to submit the report.

Would the forensic report stay confidential?

The bill says forensic reports provided to the Attorney General would be exempt from public disclosure under Connecticut’s public records law, but it also says the Attorney General may make them available to third parties in furtherance of an investigation.