Skip to main content
letters in envelopes

What is a Data Breach Notification Letter?

The number of security breaches has risen sharply in recent years, which makes it more likely that you have received a data breach notification letter in the mail. Some letters are more informative than others, but they all intend to alert you of a potential data leak that could have serious consequences in your life.

Due to the strengthening of data privacy laws, data breach notification letters are required by law. Every state now require private businesses to notify impacted individuals of security breaches of information involving personally identifiable information. Security breach laws also have provisions regarding who must comply with the law and who if required to send out letters.

Because of the legal consequences of a data breach, companies send out data breach notification letters to minimize their liability. But at this point, when a company or their attorneys draft a notice to victims, personal data security is already in serious question.

The Lyon Firm is currently involved in data breach cases nationwide, and is investigating a wide variety of class action data privacy litigation. If you have received a data breach notification letter, contact Joe Lyon for a free case review.

What should you do when you receive a data breach notification letter?

Many times, the victims of a security breach will get a letter in the mail and may not even recognize the name of the company that had at some point collected and stored, and ultimately exposed, their personal data. If you do not recognize the name of the company, contact them and an attorney to discuss what actions to take.

First, try to decipher what the letter is telling you. Most data breach letters are created from a template, and for the most part look the same. The notices may indicate the following:

  • What happened (the type of cyberattack)
  • Who was impacted (employees, customers, patients)
  • When the security breach was discovered
  • How the company responded
  • What kind of personal data was impacted
  • What identity theft and credit monitoring services are available

Find Out What Information Was Breached

Once you figure out exactly what information has been compromised, you can better respond and protect yourself from further risk. Also, you can assume that once you are notified of the breach, your information has been at large for weeks or months without your knowledge. Consider that the following may have been stolen:

  • Name
  • Address
  • Login and passwords
  • Social Security number
  • Financial information (bank and credit card info)
  • Insurance and medical information

To protect yourself against identity theft, financial fraud and medical identity theft, act quickly and take measures, listed in the following article.

Healthcare Data Breach Notification Rule

The HIPAA Breach Notification Rule calls for data breach notifications to be issued to the Secretary of the Health and Human Services “without unnecessary delay.” No later than 60 days after the date of discovery of a data breach, healthcare entities have a duty to alert the government and begin preparing to alert the public.

Consumer privacy attorneys say there has been a trend for HIPAA-regulated entities to wait as long as possible before alerting affected individuals, a practice that place consumers at a higher risk of identity theft and fraud.

In many cases, data breach notifications have been sent out many months after a security breach incident was detected. There may be valid reasons for a delay in reporting, though in some cases this institutes a severe disservice to those impacted by a data theft event.

Delays to individual data theft notifications could mean individuals’ Persona Health Information (PHI) has been in the hands of criminals for many months before they are even aware about the data theft.

Privacy lawyers claim promptly sending out individual data breach notification letters and being transparent about the fraud risk for individuals is not only ethical, but the only way to avoid stiff penalties.

The HHS has made it clear that if healthcare entities do not comply with the 60 day rule from the date of data breach discovery, they may be liable for notification violations.

Contact an experienced privacy attorney to learn more about your unique situation, and to take legal action. Compensation may be available to those involved in class action data breach lawsuits.


Please complete the form below for a FREE consultation.

  • This field is for validation purposes and should be left unchanged.