Celebrating 20 Years in Business

A lock rests on top of a keyboard beside a stethoscope, symbolizing cybersecurity against a healthcare data breach.

What to Do in a Healthcare Data Breach

Cyber threats have been considerably disruptive to the healthcare sector over the last decade. While we’ve outlined steps that organizations can take that will improve their defense, there’s still the question of what to do in the event that a bad actor finds a workaround. Those organizations that are also actively working toward the requirements for the Cybersecurity Maturity Model Certification (CMMC) may be especially concerned about what a breach would mean for their DoD assessment. Who do you notify? What steps can you take to avoid compromising your medical records? Here are our recommendations on what to do in a healthcare data breach.

Does HIPAA Apply?

Organizations that must adhere to HIPAA should refer to this federal law’s requirements for how to report a data breach. For covered entities, that means:

  • Notifying individuals within 60 days if their protected health information (PHI) was part of the breach, including social security numbers, health charts, medical billing, etc.
  • Notifying the media within 60 days if the breach involves personal data for more than 500 individuals, as well as submitting a breach report form to the U.S. Department of Health and Human Services (HHS).
  • Notifying HHS annually of any incidents that affect under 500 individuals.


If the breach occurs with a business associate of a covered entity, and that contractor is subject to HIPAA through a business associate agreement (BAA), they should notify the covered entity within 60 days, and provide them with all of the information needed for a breach notification letter. HHS also states that the covered entity may delegate to their business associate the task of sending these letters out.

What should you report? Notifications should “include a description of the breach, the types of information involved in the breach, and what steps individuals can take to prevent further harm.” They should also outline steps that the covered entity is using to investigate the event, and how they intend to prevent similar occurrences in the future.

HealthcareITSecurity provides a further breakdown of these requirements.

Does CMMC Apply?

While CMMC is only required for government contractors, its framework is easily adaptable to any industry. If you aren’t currently in the process of applying for it, we strongly encourage you to do so. We also offer several resources that you can use to prepare for certification.

Whether you’ve already passed a CMMC review, or you’re in the application process, our advice is the same: let the Department of Defense (DoD) know immediately if you experience a breach, either through their dedicated website or via their help desk. As DVIDS notes, the DoD doesn’t penalize contractors who act in good faith. Be as helpful and transparent as possible, preserve and protect evidence, and follow up with the DoD within 72 hours of the original notice.

What should you report? Notifying the DoD requires more information than HIPAA, to include:

  • The type of incident, and whether it led to a significant loss of data, system availability, or system control.
  • The number of victims.
  • Whether it involved unauthorized access to critical information, or the use of malicious software. 
  • Whether it affected critical infrastructure.
  • Whether it threatens national security, economic security, or public health and safety.


If the incident involves malware, and you’re able to isolate it, make sure to share it with the DoD cybercrime center for analysis.

Check out DVIDS for more information and a video on this topic.

Have an Incident Response Plan for Disaster Recovery

We’ve talked before about why it’s so important to have an incident response plan in place, and not simply because HIPAA requires it. The more prepared you are for a potential disaster, the easier it will be to mitigate the damage. Therefore:

1.) Familiarize yourself with the websites for the DoD and HHS so that you’re aware of how to report incidents. 

2.) Consult with your legal team so that you know how and when to notify the FBI and the general public if you’re ever the victim of ransomware. 

3.) Make sure that your breach response includes steps for disaster recovery:

  • How to maintain a copy of your mission-critical data that you can access.
  • Steps your team can implement to minimize damage as soon as a breach is detected.
  • Steps for repairing any damage from a breach with minimal downtime.


Beyond HIPAA, CMMC also shares similar requirements for cyber incident reporting outlined in
NIST SP 800-171. Worth noting is a clause that states all applicants who cannot meet these requirements must provide “alternate but equally effective” substitutions for data security.

HCRS Is Your Data Management Partner

No organization is 100 percent secure against a cyberattack. But those that arm themselves with the best tactics and tools will minimize their chances of becoming victims, damaging their reputations, losing vital data, and suffering substantial revenue loss. HCRS has over 25 years of experience partnering with organizations at federal, state, and public health levels to improve their data management and cybersecurity. We can also provide your team with the best guidance to prepare for CMMC

When you’re ready, let’s schedule time to talk about a program.

Subscribe to our blog