North Dakota has amended its data breach notification law to include "medical information" and "health insurance information." See N.D. Century Code, Section 51-30-01.  Amendments to the law also provide an exemption for HIPAA  covered entities, business associates, or subcontractors so long as they are in compliance with breach notification requirements under title 45, Code of Federal Regulations, subpart D, part 164. The new law takes effect August 1, 2013.

Other states that include health information as part of their data breach notification statutes include California, Texas and Missouri. 

At the same time, North Dakota added "unauthorized use of . . . an individual's health insurance policy number or subscriber identification number or any unique identifier used by a health insurer to identify the individual" to the list of prohibited acts under its identity theft statute, N.D. Century Code. 12.1-23-11.