Healthcare News & Insights

5 steps healthcare organizations should take in response to data security breach

Healthcare security breaches have been on the rise in recent years. In 2016 alone, more than 27 million patient records were compromised as part of 450 data security breach incidents. And 2017 isn’t looking much better, with several large breaches already logged with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR). In this guest post, Chris Byers, CEO of a company that offers an online form and data-collection platform, offers five steps to take in the event of a data security breach.


Data security breaches can be costly – especially if they involve HIPAA violations. Earlier this year, Anthem reached a $115 million settlement for a data breach impacting 78.8 million records – a new record.

HIPAA fines aren’t the only costs associated with healthcare security breaches. When a breach occurs, organizations must work through a series of time-consuming (and often expensive) actions to mitigate the situation. Here are five steps your healthcare organization should take to ensure a timely and appropriate response in the event of a data security breach:

1. Identify vulnerabilities

The first step is to identify the root of the problem and isolate any security issues to stop the breach. This may involve performing a risk analysis to determine the nature and scope of the security breach, as well as its origin.

There are several questions you’ll need to answer:

  • Who is responsible for the breach – internal personnel or external hackers?
  • When did the breach occur?
  • How did the breach occur? Were servers or systems hacked? Did an employee unlawfully access information?
  • Was any ePHI compromised?

2. Seek professional legal and security counsel

Seek assistance from legal and security professionals. The legal team can review your notification plan and help you draft documentation and communications related to the breach. They can also provide advice on how to handle people affected by the data leak and help prepare you for the potential of liability lawsuits. For instance, they may advise you to offer credit card monitoring to all victims for a period of time after the breach.

The security team can do a deep dive into any identified security flaws. Then, they can help you fix network issues and ensure all systems have returned to a secure state.

3. Notify appropriate parties

The HIPAA Breach Notification Rule requires all healthcare organizations that experience an ePHI security breach to adhere to a strict breach notification process. In short, covered entities (and their business associates) must notify all affected individuals and the Secretary of HHS. In addition, facilities are required to notify prominent media outlets in their area if more than 500 individuals may have been affected by the breach.

Notifications must be provided in a timely manner – within 60 days of the security breach discovery. If an organization doesn’t self-report a breach, it’s considered willful neglect. If the unreported breach is discovered during a HIPAA audit, the organization could face a minimum fine of $10,000 per violation.

Health organizations should also be aware of any state data breach notification laws that may come into play after a breach.

4. Address risks

While immediate threats should be addressed as soon as a data security breach is discovered, other outstanding issues may still need to be remedied after the breach is stopped and appropriate individuals are notified. You should conduct a thorough security audit to identify additional risks and work to implement safeguards to help protect your systems against future attacks.

Some remediation actions to consider include:

  • restoring data from clean backups
  • reformatting hacked devices, and
  • updating all accounts with new, secure passwords.

5. Manage resulting consequences

Healthcare security breaches can have long-lasting consequences. As mentioned previously, HIPAA violations often lead to costly fines from the OCR. Depending on the circumstances surrounding the breach, criminal penalties (such as jail time) might also be handed down. Additionally, you’ll have your work cut out for you with regaining patient trust and restoring your reputation. However, if you can smoothly manage the fallout by following these five steps, you’ll be on your way to repairing relationships and rebuilding trust in your organization.

Chris Byers is the CEO of Formstack, an Indianapolis-based company offering an online form and data-collection platform.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.


  1. valuable article for me thank you for share