(a) (1) In this section the following words have the meanings indicated.
(2) “Breach of the security of a system” has the meaning stated in § 14–3504 of the Commercial Law Article.
(3) “Carrier” means:
(i) an insurer;
(ii) a nonprofit health service plan;
(iii) a health maintenance organization;
(iv) a dental organization;
(v) a managed care organization;
(vi) a managed general agent; and
(vii) a third party administrator.
(4) “Personal information” has the meaning stated in § 14–3501 of the Commercial Law Article.
(b) (1) A carrier shall notify the Commissioner on a form and in a manner approved by the Commissioner that a breach of the security of a system has occurred if the carrier:
(i) conducts an investigation required under § 14–3504(b) or (c) of the Commercial Law Article; and
(ii) determines that the breach of the security of the system creates a likelihood that personal information has been or will be misused.
(2) The carrier shall provide the notice required under paragraph (1) of this subsection at the same time the carrier provides notice to the Office of the Attorney General under § 14–3504(h) of the Commercial Law Article.
(c) Compliance with this section does not relieve a carrier from a duty to comply with any other requirements of federal law or Title 14 of the Commercial Law Article relating to the protection and privacy of personal information.