Skip to main content
  • Viewpoint: 5 Things You Should Do After a Data Breach Notification

    By DeAnn Tucker MHA-HI, RHIA, CHPS, CHPC, Jeffery Daigrepont

    Viewpoint is a column created by AAOE® specifically for ophthalmologists and leaders in practice management.
    You’ve just been notified of a data breach from one of your business associates. Now what? 

    Here are five immediate steps that you should take to minimize reputational damage and ensure your practice’s response strategies are defensible:

    1. Request all documentation from the business associate’s investigation. 
    It’s crucial that you determine specifically what information has been breached as this will inform your next steps. The documentation you request from the investigation should include the following:
    • A forensics analysis
    • A timeline of events
    • The data accessed or potentially accessed during the breach. Be sure to include these types of specific data elements:
      • Name
      • Date of birth
      • Social Security Number
      • Address
      • Financial information
      • Insurance information, etc.

    2. Conduct your own risk assessment.
    Your personal risk assessment may bring to light areas in your practice where you need to beef up your future cybersecurity protocols. At the very least, make sure your assessment of your current breach takes into consideration these factors:
    • The nature and extent of the protected health information involved, such as the types of identifiers and likelihood of reidentification
    • The unauthorized person who used the protected health information or to whom the disclosure was made
    • Whether the protected health information was actually acquired or viewed
    • The extent to which the risk to the protected health information has been mitigated
    Most importantly, maintain all documentation to support your risk assessment determination.

    3. Immediately contact your cybersecurity liability insurance provider. 
    Many insurance plans have very specific reporting timeframe requirements, so it’s important to not delay your reporting your breach. Be sure to check your policy as your coverage may also include investigation mitigation support.

    4. Review your business associate agreement.
    You will need to determine your business associate’s responsibilities in the event the breach is confirmed and requires reporting. 

    5. Notify your incident response team.
    This includes legal counsel and senior leadership. You all need to be on same page with your legal responsibilities. 

    Cybersecurity breaches have been all too common during the pandemic. Review cybersecurity protocols throughout the year with staff so that both new hires and longer-term staff stay current with best practices. 

    About the Authors

    DeAnn Tucker is a senior manager in Coker Group’s compliance division. She has over 28 years of combined experience in health information management as well as privacy and security in acute health systems.

    Jeffery Daigrepont, senior vice president at Coker Group, specializes in healthcare automation, system integration, cybersecurity, operations, and deployment of enterprise information systems for large integrated delivery networks and private medical practices.