New California Law Shortens Data Breach Notification Deadlines

California’s new Senate Bill 446 (SB 446), signed by Governor Gavin Newsom, tightens the state’s data breach notification rules effective January 1, 2026. The law replaces the current “without unreasonable delay” standard with firm deadlines—requiring organizations to notify affected individuals within 30 days of discovering a breach, and the California Attorney General within 15 days if more than 500 residents are impacted. For healthcare entities already subject to HIPAA’s 60-day notification rule, SB 446 introduces a stricter timeline, making state law the governing standard for California residents. Healthcare providers, health plans, and business associates should update their breach response plans, vendor agreements, and staff training to ensure timely compliance. Preparing now will help organizations minimize risk, maintain trust, and meet both federal and state reporting obligations.

About the Author

Demi Mpati serves as an Associate Consultant at Strategic Management Services, where she supports clients in navigating complex healthcare regulatory requirements and strengthening their compliance programs. In this role, she conducts in-depth research and analysis of federal and state healthcare laws, including the False Claims Act, Anti-Kickback Statute, Stark Law, HIPAA, and CMS regulations. Ms. Mapti's work enables Senior Consultants advise their clients and keep them informed and compliant in a rapidly evolving regulatory environment.