Skip to main content


5 Steps to Take If Your Org Has a Data Breach

By Philip Betbeze  
   December 07, 2017

Senior healthcare leaders must formulate an action plan for addressing a data breach at their organizations. Knowing how to deal with one could help limit the damage.

With the news out of Michigan this week that the data of 20,000 patients has been compromised because of a breach, it is wise for healthcare leaders to proactively prevent their organizations from becoming part of the misery.

But if you do experience a data breach, it is your responsibility to respond quickly and fully, executing your action plan. Here are the five steps your action plan should include:

1. Determine what happened.

Many organizations have had a data breach and don't even know about it, so finding evidence of the breach is only the first part of figuring out how it happened, says Chris Byers, CEO of Formstack, an Indianapolis-based company that helps companies, including hospitals and physician offices, manage and capture data about their customers. Its healthcare clients typically use its services to acquire data through electronic medical forms.

Most data breaches are born out of personal error, he says, whether through misplacing or losing paper forms or through insecure email communication.

"Plenty of times you have no clue about the original cause as to why data got out, and you only have about a day to figure out what you can learn before addressing the issue publicly," says Byers.

Even if it's an explanation about how you're seeking answers, you need to explain how you think you were breached.

2. Notify the public.

This can be difficult to do when you're still not completely sure what happened short term, but you should notify those whose data may have been compromised, says Byers.

"What happened isn't enough. You want to communicate immediately with customers or patients, and do it quickly and genuinely," he says.

"One of the things most of us do when we go into a practice or hospital is we sign the HIPAA policy," says Byers. "The hospital system should implement some sort of alert in their portal to ensure they're capturing patient email addresses to make sure you can communicate with them."

Philip Betbeze is the senior leadership editor at HealthLeaders.

Get the latest on healthcare leadership in your inbox.