News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update

We had a security incident (malware, intrusion, or lost device)

Activate your incident plan, preserve evidence, and involve legal counsel early.

  1. 1

    Contain and isolate

    Disconnect affected systems if needed. Do not wipe drives until counsel or forensics advises, evidence matters.

  2. 2

    Engage counsel and forensics

    Attorney-client privilege can protect parts of the investigation. Forensics helps prove whether PHI was accessed.

  3. 3

    Notify insurers and leadership

    Cyber policies often have short notice windows. Brief executives under NDA as appropriate.

  4. 4

    Prepare customer and regulatory notifications

    If PHI was involved, your BAA and HIPAA may require customer notice and a breach risk assessment.

Important

The difference between an unsuccessful attack and a reportable breach depends on facts, not hope.

Related

Ask AI about this situation →

Not legal advice. Follow your organization's policies and consult counsel for legal questions.