Hit by a data breach? 5 steps you must take

Published
  • June 20 2017, 6:30am EDT

5 steps the feds suggest if a breach occurs

Whether it’s a ransomware attack or a cyber security incident, organizations have specific obligations to manage the incursion and file appropriate reports with the federal government. For example, the Office for Civil Rights of the Department of Health and Human Services recently outlined the basic steps for healthcare organizations to take in response to a cyber-related security incident. The steps are the same for either a healthcare provider, as a HIPAA-covered entity, or business associate.

1. Begin response and mitigation procedures and contingency plans

The organization should immediately fix any technical or other problems to stop the incident. Additionally, it should take steps to mitigate any impermissible disclosure of protected information—that can be done by its own IT staff or by an outside entity brought in to help.

Content Continues Below

2. Report the crime to law enforcement agencies

Organizations need to contact state or local law enforcement, the FBI or the Secret Service. In the case of healthcare providers, OCR’s advice notes that any such reports should not include protected health information, unless it’s otherwise permitted by the HIPAA Privacy Rule. Here’s the caveat, though—if a law enforcement agency tells the organization that any potential breach report would impede a criminal investigation or harm national security, it must delay reporting a breach for the time period that the law enforcement agency requests in writing, or for 30 days, if the request is made orally.

3. Report the breach to OCR

The organization must tell OCR as soon as possible, but no later than 60 days after the discovery of a breach affecting 500 or more individuals.

4. Notify affected individuals and the media

The organization also has a responsibility to promptly notify affected individuals and the media, unless a law enforcement official has requested a delay in the release of information. OCR defines a cyber-related security incident as any in which protected health information is accessed, acquired, used or disclosed, and those must be reported as breaches unless the information was encrypted by the entity, either at the time of the incident or if the entity determines that there was a low probability that the information was compromised during the breach.

Even with breaches of fewer than 500 individuals, the organization has an obligation to notify individuals as quickly as possible, but no more than 60 days after discovery, and OCR within 60 days after the end of the calendar year in which the breach was discovered.

Content Continues Below

5. Await penalties and fines

Regarding healthcare organizations, the HIPAA Enforcement Rule includes provisions for penalizing healthcare organizations for breaches. It states that, in determining the amount of any applicable civil money penalty, OCR may consider mitigating factors, including matters that justice may require.