No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

How to Remain Compliant (and Calm) During a Data Breach

by Christian Auty
September 20, 2017
in Data Privacy, Featured
woman holding board reading "don't panic"

Responding to a Cyberattack

Hardly a day passes without a data breach revelation in the news, and perhaps no industry is more vulnerable for future attacks than health care. In 2015, the health care industry experienced more breaches stemming from cyberattacks than any other industry, a recent report by the U.S. Department of Health and Human Services found.

with co-author Bob Morgan

Cyber events can be detrimental to health care organizations, including payers and providers and, most importantly, patients. While prevention needs to be taken seriously, it’s extremely important to also make sure you know what to do in the event a cyber event does occur.

Stop and Call Your Lawyer

Once you are notified of a cyber event or breach occurrence, the first thing you should do is call the lawyer on your legal team designated to take the lead on these matters. It’s important for your team to have one central voice, and your lawyer should be it. This person is someone who knows your business, knows your team, has helped prepare your incident response plan and has been looped into discussions about what to do when there’s a data breach.

This designated lawyer should also be very familiar with your HIPAA risk management plan. The plan should be updated annually and assign scores to your risk so you can put tools in place to mitigate the risk of a breach in the first place. The goal of the plan is to formulate a quantitative or qualitative value for each risk (or set of risks) and therefore determine what course of action the company will take. Though we are discussing a breach in the context of its occurrence, risk management plans enable hospitals to know their vulnerabilities and become more familiar with their cyber operations if something does occur.

When developing the plan, consider using red, yellow and green lights or a 1-10 scale to understand the severity of risk (in terms of probability multiplied by impact) and use that severity to determine whether you will (1) mitigate, (2) eliminate (i.e., remove the program from operations), (3) avoid (i.e., ensure against the risk) or (4) accept (i.e., do nothing). This could evaluate spear-phishing, the fraudulent practice of sending emails from a trusted sender to induce targeted individuals to reveal confidential information, for example. This risk has a medium probability and a high impact in an email-intensive environment, so, you could give it a red light, or an 8 out of 10.  This indicates that you need to eliminate, mitigate or avoid (you cannot accept). You can’t eliminate the risk because hospitals need email. Now you must mitigate, avoid or both. In this case, you would probably employ a strategy of purchasing insurance and mitigating by utilizing a spam filter, scanning attachments and training employees not to click on unusual links.

As much as you can safeguard and adhere to plans like the above, breaches do happen, so, it is important to have an incident response plan in place. A strong response plan includes:

  • The list of individuals to call and engage with immediately, which we recommend does not exceed seven individuals. This will likely include a member of:
    • The IT team (they should be called in the first five minutes of a breach),
    • The board of directors,
    • The employee communications director,
    • Your media relations team and
    • A clinical representative (Head of Clinicians, Nursing, etc.).
  • A method of reaching each of these individuals that does not include company email (home phone numbers, cell phone numbers and personal emails). Keep in mind, however, that any email transmitted to a personal account should be brief and geared toward initiating a phone call. Personal email could be unsecure and may not be privileged.
  • A repository of key documents including insurance obligations.

If you have a team of six to assist, why call your lawyer first? You need someone that knows your business, is familiar speaking to a variety of audiences – including regulators and media – and can help translate and build messaging. IT does not speak the same language as the board; clinicians are not trained to interact with journalists as compared to a media director.

Second, and most importantly, it is critical to communicate within attorney-client privilege to the maximum extent possible. Once legal is engaged, make sure they are included and engaged on emails; merely copying counsel is not enough to privilege an email. It will give your team options for when formal proceedings happen.

Assess and Activate

The first goal in any breach response is to stop the bleeding.  This means segregation of the affected servers or endpoint (i.e., computers, laptops, etc.) and removal from the network. As in medicine, the first rule is “do no harm” (or no further harm). Taking servers offline while not deleting or unplugging them is generally a prudent step, especially when you are confident that data is being actively exfiltrated to unknown networks. This analysis should be among the first performed by IT in an incident response plan. Once you can halt the breach in its tracks or prevent things from getting worse, you can begin to execute your response plan. Here’s what to do:

  • Ask IT for an assessment of the extent of the breach, and then call your external forensics team, who should be pre-authorized. Forensics should not be called in too late. Waiting too long can mean the inadvertent loss of data or the failure to capitalize on information that could assist a law enforcement investigation.
  • Begin to script the necessary documentation and communications according to the following guidelines:
    • It’s important to be forthright if you know how the breach has occurred.
    • Develop an honest and non-leading public relations statement.
    • Ensure your call center is prepared to answer questions before and after a public notification or media story publishes.
  • Talk to key stakeholders, keeping these considerations in mind:
    • Once your response team is notified, begin to speak with clinicians and administrators. In your response plan, you should have pre-listed the groups of individuals who hold different types of data or private information. Information should be given on need-to-know basis. In some cases, all employees and the public will need to know (for example, operational interruptions). In other cases, only certain employees should be advised until the company is prepared to go public with the information.
    • In the case of a health care system or health care organization, remember that patients come first. For example, while it may be difficult for clinicians, you may be required to temporarily revert to paper charting to ensure your patients’ data is protected while an investigation is underway or until a server is reactivated.

Inform Law Enforcement and the Public 

Depending on the type of breach and its size, there are a variety of organizations that will need to be called. While it’s not necessary to call enforcement within minutes of a breach, it’s important to know who you should call. For a HIPAA breach involving 500 patients or more, you will be required to notify the Secretary of HHS within 60 days of the date of discovery of the breach, for example.

If you call the FBI, don’t be alarmed if they don’t call you back right away. They often want you to run your own investigation. In some cases, the FBI or other law enforcement may ask you to withhold notice of the breach while the investigation is pending. This pauses the notification clock under HIPAA and, generally, under state law as well. Keep in mind: the legal requirements can be contradictory — for example, a regulator (or the FBI) may ask that you notify no one, but your insurer may require notice within 10 days to trigger coverage. In this instance, work with the FBI to first gain their approval to provide appropriate notice to the insurer, and document the request.

Review Obligations

The most important part of any response plan or compliant reaction is notification. Verifying and staying current with breach notification requirements is a good example of valuable pre-breach planning.  Spending a few hours every six months reviewing insurance and regulatory notification requirements will help significantly when a crisis hits and there is no time to waste.

Post-breach, there is usually a requirement to notify an insurer of a covered incident within a specified timeframe or else waive coverage. Your legal team needs to verify all insurance notification requirements on day two at the latest. While the breach response team will be inundated with communication and IT needs, it is important not to lose sight of mandatory notification obligations that could pose significant financial or regulatory penalties.

Execute the Remainder of the Response Plan

While you may have notified all the necessary parties and even determined the source of the breach, your job is not done. Proper documentation and communication is crucial and must be maintained. Convene a meeting at the end of an incident response to discuss what happened, determine what could have been done better and document and share opportunities for improvement with the response team. Remember: this sort of communication should only occur with a non-privileged group after regulatory proceedings/lawsuits have concluded. You do not want email or other communications suggesting there were deficiencies in the response when matters are pending.


Tags: Data BreachHIPAA
Previous Post

The Slippery Slope to an Eroded Culture of Compliance

Next Post

New Compliance Data Reveals How Companies Prioritize Challenges in Workplace Culture

Christian Auty

Christian Auty

Christian Auty is a Principal at law firm Much Shelist. An experienced litigator, Christian has an established reputation as a strong client advocate and is well-versed in issues on the intersection of law and technology, including data privacy and data breach response, electronic discovery, data storage and retention practices and information governance. .

Related Posts

new york and us flags

New York Tightens the Breach Clock: 30 Days to Notify

by Melissa Crespo and Reiley Porter
May 12, 2025

State joins growing national trend toward broader personal information definitions and stricter notification timelines for data compromises

virginia state flag

Are You Ready for Virginia’s Sweeping Reproductive Health Privacy Law?

by Meghan O’Connor
April 29, 2025

Broadly defined ‘reproductive and sexual health information’ may affect any company doing business in the state

demystifying data de ID collage

Demystifying Data De-Identification for US Privacy Compliance

by L. Hannah Ji-Otto, David Chen and Julie Kilgore
October 30, 2024

De-identification is a valuable tool for protecting consumer privacy, but the process requires diligent compliance with multiple state and federal...

group looking at data breach details digital art collage

Navigating Data Breach Compliance & Communication

by Salim Gheewalla
October 28, 2024

Compliant response starts well before an incident occurs

Next Post
New Compliance Data Reveals How Companies Prioritize Challenges in Workplace Culture

New Compliance Data Reveals How Companies Prioritize Challenges in Workplace Culture

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights