Healthcare News & Insights

Strategic plan is critical to prepare for data breaches in health care

Hospitals are a favorite target of hackers, as is apparent with the number of facilities experiencing data breaches. In this guest post, Kristen Broyles, a social media marketer, offers five steps hospitals need to think about in terms of data breaches.


Data breaches of all shapes and sizes are affecting organizations in all sectors of the healthcare industry, from health insurance companies to hospitals to technology companies alike. The impact of these data breaches is exponential – some studies report the number of victims from health plan data breaches have increased by more than 1,000% in 2018. According to IBM, the average cost of a data breach is $3.86 million, and for health care the financial stakes are even higher. The average cost of each lost or stolen record is about $408, which is twice as much as the financial industry.

All of that to say, the stakes are high in health care and facilities need to be prepared for communication challenges that may arise when the worst happens. Here are five steps hospitals need to keep in mind in the face of a data breach.

Plan ahead

The worst plan is no plan at all. No one expects a data breach to happen to them and many companies skimp on planning for communications risks, but a faulty response to a crisis can be extremely detrimental to an organization’s brand image. From a communications perspective, it’s important to hope for the best, but plan for the worst.

The first step is discovery. Examine the potential for risk in your organization – find the weak spots and imagine the worst-case scenario. Now that your blood pressure has spiked, it’s time to identify the stakeholders. Who will be affected by this breach? What’s the financial, emotional and overall business impact of the situation? Finally, how are you going to make it right?

It’s important to go through this exercise for a variety of scenarios as not all breaches will be the same. Map out the scenarios and corresponding action plans to ensure your team is prepared to tackle a crisis quickly and efficiently.

Transparency is the new black

A crisis isn’t the time to be prideful – it’s a time to be forthcoming with your customers and investors. Hospitals have some additional challenges when it comes to data privacy and availability. However, explaining the who, what, when, where and why in broad terms is essential to preserving patient and customer trust.

Regarding data breaches, consumers expect a certain level of information right out of the gate. Be prepared to create a comprehensive statement that covers what happened and when, who it impacts and the action plan in place to address the issue. If you don’t have the details at the time the news is breaking, share what you can and ensure the public more information is coming as the situation develops.

It’s important to be mindful of regulations to protect your end user’s privacy even in the face of a data breach. Ensure that your risk assessment and legal team are involved in the drafting and approval of any statement. You want to make it right, but you also need to protect your company’s rights.

Be where your stakeholders are

You could create the perfect crisis communications plan, but it means nothing if you don’t tell anyone. Having the talking points bulleted out is a great start, but it’s not enough to cover all your communication bases. Here is a quick list of all the places you need to have your statement available:

  • Your website – post a blog or home page announcement for easy access
  • Emails for your stakeholders explaining the breach and what actions are being taken to repair the situation
  • Social media posts linking to your official statement: Twitter, Facebook and LinkedIn, and
  • Press releases – depending on the severity of the breach, a solid public facing media statement is in order.

Those are just the external facing pieces of communication. It’s also essential to present a unified and consistent front to your internal employees, board members and investors. Start with a series of transparent email communications from the executive level with corresponding small groups, or one-on-one meetings with managers. In this case, managers will need talking points and some coaching on how to answer difficult questions.

Make amends

Saying sorry doesn’t cut it for today’s consumer. With over 2 billion breaches occurring in 2017, consumers expect more than words from companies who are compromising their data, and health care is no exception.

In your planned communications, include a section where you explain the steps being taken to improve security systems. Take the time to talk to your customer by providing a hotline, email and dedicated support team to answer questions from affected customers. If applicable, allocate funds for recourse, whether that be for identity monitoring or a similar service.

There is no way to turn back the clock but following these steps will help ensure your constituents aren’t left with a bad taste in their mouth after a data breach.

Find the right partner

The way your organization responds to a crisis can make or break trust, and in health care, trust is a key element for all parties involved. Since the stakes are high, finding a skilled, experienced PR partner is a smart move. There are a multitude of moving pieces in any data breach situation, so hiring additional support can go a long way to make sure all the boxes are checked. A strategic PR partner can help with tasks such as effective press release writing, media training, interview prep, social media content creation, etc. A data breach isn’t the time to mess around with your external image, so engaging a partner is a prudent choice.

Besides adding additional manpower, a PR partner can see more outcomes and plan for the long-term communication challenges after the storm of the data breach. Your brand’s life doesn’t stop after a data breach and neither should your communications plans.

No one wants to believe a data breach will happen in their organization, but the old adage, “better safe, than sorry,” rings true. By following these steps and planning for a crisis appropriately, you won’t only be setting your organization up for a quick bounce back, but also treating your end users with the respect they deserve in case the worst happens.

Kristen Broyles, director of social media at SSPR, is an experienced social media marketer with a penchant for B2B tech and healthcare clients. 





Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind