How to Respond When Patient Data Has Been Compromised

Posted on in Cybersecurity

Every business should have a plan in place for how they will respond to a crisis. This is even more true for healthcare industries where a crisis doesn’t just mean maintaining your own reputation, but the livelihood of your patients. You need to have a plan in place should a cyber security breach occur. Discuss these tips at your next board meeting and put a plan in place for how you will go about handling a situation like this.

Act Fast

A security breach is incredibly serious. Acting slow will only cost you more financially in the end. Delayed responses open up the opportunity for more patient data being stolen and compromised. Too often, companies try to deny that they have a security issue, or justify it by saying it’s minimal. The first step is to work with a trusted security company to determine if the incident caused patient data to leave your network and how many patient records were compromised. The results of this forensic work will determine if the incident was a breach.

It’s important to note that the laws and regulations differ per state. For example, in Iowa if you have more than 500 patient records that have been stolen it is considered a breach. Acting quickly can keep it from spiraling out of control and minimize the financial impact.

Be Honest

The public can sniff out a lie and any kind of fabrication fairly easily. Be honest about the breach and you will be able to restore the public’s trust. Let them know that you are in control of the situation and will do everything in your power to make it right. You can make it right by preventing it from happening again.

Get more details about breach notification guidelines on the U.S. Department of Health & Human Services’ website.


You should be upfront about how the breach occurred. When you are honest with this, you will be able to talk about how you will prevent the same situation from repeating itself. If the cause was employee mishandling of information, develop a plan for how you will educate employees in the future of safety protocols and how you are adopting tech systems to assist in preventing user error.

You never know how a security breach will happen to you, but you should be prepared to handle a variety of circumstances. Your business can take steps now to prevent yourself from needing to have a crisis plan. Talk to us about developing an incident response plan.