Most Pennsylvania businesses that updated their data practices after September 2024 stopped there. The BPINA amendments have been running for over a year, and two additional bills that passed the Pennsylvania House in October 2025 are now pending in the Senate. One would create the state’s first comprehensive consumer data privacy law. The other would let individuals sue companies directly for breach damages. Neither is law yet. But businesses that haven’t fully closed the gaps the 2024 amendments created are already behind, and the legislative direction is clear.
What BPINA Covers and Who It Applies To
The Breach of Personal Information Notification Act applies to any private or public entity that maintains, stores, or handles personal information belonging to Pennsylvania residents. Size doesn’t matter here. A healthcare practice, a staffing firm, a financial services operation, a mid-size manufacturer with an HR system — if you’re collecting identifying information on Pennsylvania residents, this law applies to you.
BPINA has existed since 2005. The 2024 amendments signed by Governor Josh Shapiro are the most consequential updates the law has seen, bringing it closer in line with stricter state data breach notification laws enacted elsewhere over the past decade. Some of those changes are definitional. Others carry direct financial obligations.
Expanded Definition of Reportable Personal Information
The amended law significantly widens what counts as protected personal information. Under the prior version, the list was narrow enough that a lot of sensitive data fell outside it. That’s no longer the case.
The updated definition now includes a first name or initial and last name combined with any of the following: medical information held by a state agency or state agency contractor, health insurance information, an email address paired with a password or security question that would allow access to an online account, or online credentials generally, including a username and password combination.
So if your business stores insurance verification records or login credentials for any internal or client-facing platform, those data elements now carry legal weight under BPINA that they didn’t before. HIPAA already governs certain health data disclosures for covered entities, but BPINA’s expansion reaches businesses that handle health-adjacent data outside a clinical context and aren’t subject to federal rules.
What Types of Incidents Now Count as a Reportable Breach?
This is where the amended law makes its sharpest departure from the prior version.
Before September 2024, a breach of security under BPINA required unauthorized acquisition of personal data. That distinction mattered, especially for ransomware incidents. If attackers encrypted files without clearly exfiltrating them, there was a reasonable argument that no breach had occurred under the old language.
That argument is gone. The amended law now defines a breach of security as unauthorized access to personal data, not just acquisition. If an unauthorized person gets into your systems and that access puts the security or confidentiality of personal information at risk, you have a reportable event, regardless of whether anything was downloaded.
Ransomware is the obvious example. Attackers move through environments, access sensitive files, encrypt them, and often leave without generating clear proof of exfiltration. Incident response plans built around confirmed data theft as the notification trigger are working off an outdated standard.
Your incident response process needs to account for ransomware attacks even when files are only locked, unauthorized access or viewing of sensitive records without evidence of a download, and compromised online accounts where access occurred but no confirmed exfiltration can be documented.
Updated Notification Requirements for Pennsylvania Businesses
The notification timeline framing hasn’t changed. The amended law still requires notice “without unreasonable delay” after a business determines a breach has occurred. There’s no fixed number of business days written into the statute, though most legal interpretations treat 60 days from the date of the breach as the practical outer boundary.
What changed is who receives that notice. Two thresholds now apply.
If a breach affects more than 500 Pennsylvania residents, you must notify the Pennsylvania Attorney General’s office concurrently with notifying affected individuals. The prior threshold for notifying consumer reporting agencies was 1,000 affected residents. That number has been cut to 500. More incidents will now require both notifications happening in parallel, not sequentially.
Notice to affected individuals can still be delivered in writing, telephonic notice, or by email if an established business relationship exists. When direct notification isn’t feasible, substitute notice remains available through a combination of email outreach, a conspicuous posting on your website, and notification to major statewide media outlets.
Financial and Operational Impact of the BPINA Changes
The amendments introduce direct financial obligations that can significantly raise the compliance cost following a qualifying breach. The most significant new expense is mandatory credit monitoring.
When a breach exposes a resident’s name combined with certain sensitive data elements, your business must provide 12 months of credit monitoring services and access to one independent credit report at no cost to the affected individual. The trigger is tied to specific data combinations:
| Triggering Data Element (with Name) | Required Action |
| Social Security Number | 12 months credit monitoring + free credit report |
| Driver’s license or state ID number | 12 months credit monitoring + free credit report |
| Bank account number or financial account number | 12 months credit monitoring + free credit report |
Enterprise credit monitoring contracts typically run between $10 and $20 per person per month depending on provider and volume. A breach affecting 600 residents can generate $72,000 to $144,000 in credit monitoring obligations alone, before legal fees, investigation costs, or any regulatory engagement.
Worth noting: the expanded personal information definition widens the path to these costs. Health insurance information and online credentials now fall under BPINA’s scope, so incidents involving that data can trigger the notification requirements that lead to credit monitoring obligations depending on what other data was involved in the same incident.
What’s Still Moving Through the Legislature
Two bills that passed the Pennsylvania House in October 2025 are now pending in the Senate, and both are worth watching.
HB 78, the Consumer Data Privacy Act, would establish Pennsylvania’s first comprehensive consumer data privacy framework. It cleared the Senate Consumer Protection and Professional Licensure Committee 14-0 in February 2026 and has since been re-referred to the Senate Communications and Technology Committee. If enacted, it would take effect January 1, 2027, and would impose new obligations on how businesses collect, use, and protect personal data at a scope well beyond BPINA’s current reach.
HB 997 goes directly at BPINA’s current enforcement structure. Right now, only the Attorney General can pursue violations. HB 997 would introduce a private right of action, allowing individuals to sue companies directly for damages resulting from a breach. The bill passed the House 112-91 and was referred to the Senate Communications and Technology Committee in October 2025. The PA Chamber of Commerce has formally opposed it. Neither bill is law, and both face a Republican-controlled Senate. Still, the direction of travel is not ambiguous, and businesses that treat the 2024 amendments as the ceiling rather than the floor are misreading the environment.
Enforcement Examples and Real-World Application
Violations of the amended law are treated as unfair trade practices under Pennsylvania’s consumer protection law. That classification gives the Pennsylvania Attorney General’s office the authority to seek injunctive relief, require restitution to affected consumers, and pursue civil penalties against non-compliant businesses.
The state has shown it will act. A recent example worth knowing about involves the enforcer itself.
The Pennsylvania Attorney General Ransomware Case
In late 2024, the Pennsylvania Attorney General’s office confirmed a data breach resulting from a ransomware attack on a third-party vendor. The vendor’s compromise exposed sensitive information connected to the office. The Attorney General’s office responded by notifying affected individuals and providing remediation services, including access to an independent credit report, consistent with what the amended law requires.
Two things stand out. First, the incident involved a third-party vendor, not a direct attack on the office itself. Supply chain exposure is real, and BPINA doesn’t exempt you because the breach originated outside your own systems. Second, the office didn’t wait for confirmed exfiltration before treating this as a reportable event. They assessed the unauthorized access, applied the standard, and acted.
That’s the model Pennsylvania businesses are being held to.
What Penalties Can Organizations Face for Non-Compliance?
Penalties under BPINA are pursued through the consumer protection framework. If the Attorney General’s office determines a violation occurred, available remedies include injunctive relief compelling compliance, restitution payments to affected consumers, and civil penalties against the non-compliant business entity. Non-compliance also carries reputational exposure that doesn’t show up in a penalty calculation but tends to matter to clients and partners.
If HB 997 passes, the exposure gets meaningfully larger. A private right of action means individual plaintiffs, not just regulators, could bring claims. That’s a different category of legal risk than what currently exists.
Practical Steps for Compliance with Pennsylvania’s Breach Notification Law
A few concrete places to start.
Audit what you’re holding. Do you collect health insurance information during onboarding, intake, or billing? Do you store login credentials, even for internal tools? Those data elements alongside names now fall under BPINA. Knowing what you have is step one.
Revisit your incident response plans. The shift from acquisition to access changes your response threshold. Unauthorized access to a system containing personal data is potentially a reportable event from the moment it’s confirmed. Waiting for exfiltration evidence before starting your notification review adds risk it didn’t add before.
Budget for credit monitoring. If your environment contains Social Security numbers, driver’s license numbers, or bank account numbers, a qualifying breach now comes with mandatory per-person remediation costs. Build that into your incident response budget before something happens, not after.
Confirm your notification workflow covers the new thresholds. If your current process doesn’t include concurrent notification to the Attorney General’s office and consumer reporting agencies for breaches over 500 individuals, that gap needs to close before the next incident.
Watch the pending legislation. HB 78 and HB 997 are not law today. But both passed the House with meaningful margins, and the compliance implications of either becoming law are significant. Organizations that start assessing impact now will be in a better position than those waiting for a governor’s signature.
If you’re not certain your current data handling and incident response plans account for the expanded triggers under the amended law, that’s a reasonable starting point for a conversation. We can walk through your environment and show you where the gaps are.
Frequently Asked Questions
Are Pennsylvania’s Breach Notification Rules Now Stricter Than Other States?
The amendments move Pennsylvania’s law closer to what stricter states require, but it doesn’t lead the pack. Some states set firm day counts for notification, cover a broader set of entities, or require wider disclosure. What’s changed is that satisfying Pennsylvania’s obligations is now meaningfully harder than it was before September 2024, and pending legislation would tighten that further.
How Soon Do Businesses Need to Notify Affected Individuals of a Breach?
The law requires notification “without unreasonable delay” after a breach is determined to have occurred. No fixed number of business days is written into the statute. In practice, most legal guidance treats 60 days from the date of the breach as the outer limit, though earlier action is expected when scope becomes clear quickly.
What Should Businesses Do If Unsure Whether an Incident Is Reportable?
Bring in legal counsel with information security and data privacy experience before deciding how to proceed. The access-based trigger creates more ambiguous situations than the old acquisition standard did. Getting that assessment early, before a response decision is made, is the cleaner path forward.