Menu

10 Steps for Responding to a Telehealth Data Breach

Health Care   |   Cybersecurity and Privacy   |   April 30, 2020
Download   
Share Page

Thus far, telehealth breaches have been exceedingly rare, but as telehealth is increasingly used, telehealth data breaches and similar incidents may become more commonplace. Here are 10 steps for responding to a telehealth data breach or similar incident:

  1. Stop the Leak

Whatever the data compromise, end it. Shut down the access rights being abused; take down the mistakenly posted records. However, any action taken to stop the leak should be undertaken with an understanding of how that action could affect document preservation.

  1. Perform an Initial Assessment

Ask: What type of information was exposed? Does it constitute a “breach” under relevant state law definitions and/or HIPAA?

If your incident involves unencrypted protected health information, under HIPAA, it is presumptively a “breach” unless your risk assessment demonstrates a low probability that the protected health information has been compromised or an exception applies.

Make sure your risk assessment considers the nature and extent of the information involved, who the information was used by or disclosed to, whether it was actually acquired or viewed, and the extent of mitigation.

For HIPAA purposes, some things are, by definition, not a “breach”:

  • Disclosures that do not involve unsecured protected health information (if the information was unusable by unauthorized persons, its exposure is not a “breach”);
  • Unintentional, good faith acquisition, access, or use by a workforce member or person under the authority of a covered entity or business associate within the scope of their authority;
  • Inadvertent disclosure by someone authorized to access the information to another person authorized to access the information; and
  • Disclosure to someone for whom there is a good faith belief could not retain the information.
  1. Follow Your Incident Response Plan

As part of its preparation for a breach or similar incident, an organization should develop and practice with its incident response plan. Then, when a breach or incident occurs, the plan can serve as the organization’s playbook with key action items, such as:

  • Notifying your privacy and security officer;
  • Gathering your incident response team;
  • Retaining counsel;
  • Notifying your insurance carrier; and
  • Putting a litigation hold in place.
  1. Investigate

Counsel should retain your forensic firm to preserve privilege and gather a full understanding of the breach, including:

  • Its cause;
  • What information, systems, or devices were, or may have been, disclosed or otherwise affected; and
  • How, and when, the compromise was discovered.
  1. Comply with HIPAA and State Breach Notification Requirements
  • Determine whom you will notify (law enforcement, regulators, the media, consumers, etc.). The law provides stringent timing requirements for many of these notices. Work with counsel who has the experience and contacts to get this done efficiently and correctly.
  • For business associates, this will require reporting to the covered entity whose information was compromised.
  1. Review and Comply With Relevant Contracts

Businesses and their data are woven together by contracts, most of which now include provisions regarding cybersecurity and data incidents. Make sure you review implicated contracts and comply with them. For example, business associate agreements may include a provision requiring the business associate to report the incident to the covered entity, to other business associates, or possibly even to individuals affected by the breach.

  1. Mitigate Damages

Act to reduce the harm to the individuals impacted by the breach and your business. Minimize the damages consumers may suffer and your own reputational harm and lost business (often one of the largest costs of a data breach) by:

  • Preparing a communication plan with affected individuals where they can receive helpful information, including contact information for key contacts, like law enforcement, the state identity theft hotline, and the FTC;
  • Providing credit monitoring for affected individuals if appropriate given the nature of the breach or incident (this may not make sense in every case);
  • Using disciplinary policies as appropriate to address employees whose conduct failed to comply with applicable guidelines; and
  • Consider terminating any relationship that caused the breach.
  1. Document Your Efforts, but Be Careful What Evidence You Create

It is important to document your efforts and response to any data incident: what you learn, when, the decisions you make, and the basis for those decisions. When doing so, however, consider the discoverability of those materials in any future enforcement proceeding, document production, or trial. That means being careful about the evidence you create and doing everything possible to maximize the protection of the attorney-client privilege (see immediate next step).

  1. Preserve Privilege

Work with counsel to protect privilege at every step of the way. As noted above, counsel should retain the forensic firm and any other vendors needed to investigate and respond to the incident.

  1. Plan for the Next One

Once you have contained the current incident, it is time to reflect and plan for the next one.

  • Look at what worked and did not, and adjust your data incident response plan and other policies accordingly.
  • Consider what you can do to strengthen your cybersecurity and privacy practices. Is it time for another employee training? Does your incident response plan need adjustment?
  • Once you implement changes, test them.


©2020 Carlton Fields, P.A. Carlton Fields practices law in California through Carlton Fields, LLP. Carlton Fields publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information and educational purposes only, and should not be relied on as if it were advice about a particular fact situation. The distribution of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship with Carlton Fields. This publication may not be quoted or referred to in any other publication or proceeding without the prior written consent of the firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our Contact Us form via the link below. The views set forth herein are the personal views of the author and do not necessarily reflect those of the firm. This site may contain hypertext links to information created and maintained by other entities. Carlton Fields does not control or guarantee the accuracy or completeness of this outside information, nor is the inclusion of a link to be intended as an endorsement of those outside sites.

Subscribe to Publications

Disclaimer

The information on this website is presented as a service for our clients and Internet users and is not intended to be legal advice, nor should you consider it as such. Although we welcome your inquiries, please keep in mind that merely contacting us will not establish an attorney-client relationship between us. Consequently, you should not convey any confidential information to us until a formal attorney-client relationship has been established. Please remember that electronic correspondence on the internet is not secure and that you should not include sensitive or confidential information in messages. With that in mind, we look forward to hearing from you.