Hospital Data Breach Playbook

What to do before, during and after

Medical data breaches are on the rise, making patient data security one of the most pressing issues in the healthcare industry. In 2019, more than 41 million healthcare records were either exposed, stolen or inappropriately disclosed. The 2019 total is greater than the number of patient records breached in the three previous years combined, according to a HIPAA Journal report.

While hospitals and health systems are increasingly becoming the targets of malicious cyberattacks, there are steps these organizations can take to minimize the risk of breaches and ensure a swift response when one occurs.

During a Jan. 21 webinar hosted by Becker’s Hospital Review and sponsored by Ensemble Health Partners, two industry leaders laid out a “before, during and after” approach to data breach prevention and response. Additionally, the conversation walked through real-life examples from the Office for Civil Rights home page for HIPAA Privacy,,  of provider responses to breaches that resulted in fines or legal settlements as learning opportunities.

The speakers included:

  • Gregory Kerr, Chief Privacy Officer, Ensemble Health Partners
  • Ray Percell, Director of Compliance, Ensemble Health Partners

Before: Get one step ahead

The best time to minimize the risk of a security breach or a large fallout after a breach is before one even occurs, explained Mr. Percell.

Before a data breach occurs, it is imperative providers create a procedure to assess privacy and security incidents, develop a breach response with key stakeholders and ensure staff is aware of any update in state and/or federal reporting requirements.

In addition, completing an annual privacy and security risk assessment is helpful to understand external and internal threats to a provider organization’s patient data.

“With the moving parts and the sophisticated ways your data is being accessed and stolen, your IT team must try to be one step ahead,” Mr. Percell said.

During: Avoid knee jerk reactions

When a breach is discovered, it is critical for providers to work quickly and swiftly to gather facts before reacting and responding, according to Mr. Kerr

“It is not uncommon that knee jerk reactions occur,” Mr. Kerr said. “However, these reactions can not only be costly, but also create additional complications for an organization.” 

Instead, an organization should determine the nature and severity of the incident, document the findings and determine if it is a notifiable breach. The covered entity or business associate should launch a breach investigation as soon as possible so they can begin to understand how many people were affected, what data was accessed, the timeline of the breach and any remediation services that may be necessary, Mr. Kerr explained. 

After: Monitor, asses and act

The effects of a data breach are not always immediately known, explained Mr. Kerr. As a result, an organization affected by a breach of PHI must continue to monitor affected individuals, consider reputational risk and assess liability risks following a data  breach. 

From there, the organization can determine if purchasing insurance is beneficial, if they will hire a consultant to aid with breach notifications or engage another vendor to provide other services, such as credit monitoring, to help.

After part II: Reporting deadlines, details

Once a breach is discovered, on the federal level, affected individuals must be notified within 60 calendar days. If 500 or more individuals are involved, then HHS’ Office for Civil Rights must be notified within 60 days as well.  In addition, for breaches involving more than 500 affected individuals who reside in the same state, local media outlets must also be notified no later than 60 days from the date the breach was discovered.  For breaches that affect less than 500 individuals, from the federal HIPAA Privacy Rule requirements, the affected individuals are to be notified within 6o days of discovery, and the covered entity should record the breach in a manner consistent with federal expectations and report those breaches annually to the federal government not later than 60 days after the end of each calendar year, or as the federal government may direct. 

It is also important to keep in mind there are different requirements that may need to be followed based on individual state reporting requirements, according to Mr. Percell. 

The OCR is strict on these deadlines, Mr. Percell said, adding that the agency will not offer exceptions to the rule unless a law enforcement official requests a delay due to impeding a criminal investigation or threat to national security.

One example of the strict deadline is a 2017 incident with Chicago-based Presence Health. The health system was the first HIPAA covered entity to receive a resolution agreement for reporting a breach of personal health information late. The system was fined $475,000 by the OCR for reporting the incident 45 days late and had to undertake a corrective action plan. This reveals how important the 60-day deadline is, according to Mr. Percell.

Another example Mr. Percell shared was when Norfolk, Va.-based Sentara Healthcare paid the OCR $2.17 million for failing to properly notify HHS of a breach of PHI. Sentara had believed the breach affected eight people, but an OCR investigation found that it affected 577 individuals.

This case reveals that it is important to conduct a thorough investigation of the incident, Mr. Percell said.

After part III: Cooperate with the media, but don’t disclose PHI

Media can play a very important role in getting information out about the breach to the public and affected individuals. However, involvement with the media can also worsen an already bad situation, Mr. Kerr said.

One example that other providers can learn from is an incident that occurred with Memorial Hermann Health System in Houston, Mr. Kerr said.

In September 2015, a patient at one of Memorial Hermann’s clinics presented a fraudulent identification card to office staff, who immediately reported the incident to law enforcement authorities. Memorial Herman then published a press release about the incident, which impermissibly disclosed the patient’s PHI by adding his or her name in the title of the press release.

The incident reminds providers that they can cooperate with police without violating HIPAA, but that they must protect patient privacy when making statements to the public, Mr. Kerr said. 

Memorial Hermann paid $2.4 million to HHS to settle the potential violation of HIPAA.

After part IV: The use of business associate agreements

Another way a covered entity can protect their organizations from the fallout of a breach is by using business associate agreements. These agreements, which should be used with any partner that has access or transmits PHI, outline any permissible uses of PHI and lists out liabilities and responsibilities in the event of a HIPAA breach, Mr. Percell said.

When developing these agreements, leaders should engage subject matter experts including the privacy and legal department. These agreements should also be updated regularly and signed by all parties, Mr. Percell said.

Overall, the risk of security breaches in healthcare is high. However, with a plan in place for before, during and after a breach, healthcare organizations can be well prepared to handle the incident swiftly and responsibly.

To view the hour-long webinar with more real-world examples, click here.