The law requires that a name be associated with the data to necessitate breach notification, but Social Security numbers (SSNs) do not have to be present. The law affects all state agencies and companies that do business in the state of California. The change to the law was prompted in part by a report from the World privacy Forum that said a quarter of a million people become victims of medical identity theft every year.
