News
Do I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule UpdateDo I Need a BAA With My Vendor? A Plain-English Guide to Which Vendors Require a Business Associate Agreement · Business AssociatesYour 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement · OCR EnforcementAn Accounting Firm Just Paid a HIPAA Fine: BST and Co. CPAs and What It Means for Professional Services Firms · OCR Enforcement15 Million Records, a $10,000 Fine, and a Company That No Longer Exists: The MMG Fusion Story · OCR EnforcementOCR Creates Religious Discrimination Units: What the Restructuring Means for HIPAA Enforcement · Rule UpdateOCR Director: The Cost of Doing Nothing Is Very High · Rule UpdateHIPAA Victims May Soon Receive a Share of OCR Fines: What the Proposed Compensation Program Means · Rule UpdateOCR Restructured: Three New Divisions and What It Means for HIPAA Enforcement · Rule UpdateRehab Center Pays $103,000 After Phishing Attack: OCR's 11th Risk Analysis Enforcement Action · OCR EnforcementConcentra Pays $112,500 After Patient Made Six Records Requests Over 13 Months · OCR EnforcementHIPAA Security Rule Final Rule: May Deadline Passes With No Announcement · Rule Update

We think we may have had a data breach

Treat it as a breach until proven otherwise. The 60-day clock is running.

  1. 1

    Contain the incident immediately

    Stop the bleeding first. If systems are compromised, disconnect affected devices. If it was a misdisclosure, document what was shared and with whom.

  2. 2

    Assemble your response team

    Notify your privacy officer, IT support, and consider engaging a HIPAA attorney immediately for attorney-client privilege over the investigation.

  3. 3

    Conduct the four-factor risk assessment

    HIPAA requires a specific four-factor analysis to determine if this is a reportable breach. Use our Breach Notification Checker tool to walk through this.

  4. 4

    Notify your cyber insurance carrier

    If you have cyber insurance, notify them now. Many policies have strict notice requirements and they can provide breach response resources.

  5. 5

    Prepare for notification if required

    If the breach is reportable, you must notify affected individuals, HHS, and potentially the media within 60 days of discovery.

Important

The 60-day notification clock runs from the date of discovery, not the date you finish your investigation. Do not delay.

Related

Ask AI about this situation →

Not legal advice. Follow your organization's policies and consult counsel for legal questions.