As required by the federal economic stimulus legislation, the Federal Trade Commission (“FTC”) has issued a proposed rule requiring notification for security breaches of health data. The rule is directed at the growing industry of online health-related services. It will apply to vendors of personal health records; entities that advertise on the websites of such vendors or of health plans, health care providers, and health care clearinghouses; entities that access or send information to personal health records; and third party service providers. Under the proposed rule, the breach notification obligations are triggered when an entity knows, or reasonably should have known, about the breach. At that time, immediate notification is required to the FTC, and notification within 60 days and “without unreasonable delay” to individuals whose “unsecured” personal health record information is acquired without authorization. Information is considered “unsecured” unless it is encrypted or destroyed in accordance with guidance issued by the Department of Health and Human Services. Comments on the FTC proposed rule are due by June 1, 2009, and the final rule will go into effect on September 18, 2009.