Blog
← Back to Blog
January 15, 2019 dental

Your Practice Got Breached. Now What? The Dental Data Breach Playbook

Healthcare data breach response Healthcare data security incident

A ransomware attack hit overnight. Or a server was hacked. Or a laptop with patient data was stolen. Your practice has experienced a data breach. You have 24 hours to make decisions that will affect the next six months. Here's what to do.

First Hour: Containment

  1. Don't panic. Panic leads to bad decisions. Follow this playbook.
  2. Disconnect affected systems. Unplug the network cable or disable Wi-Fi. Stop the bleeding first.
  3. Preserve evidence. Take photos of screens. Note timestamps. Document what you see.
  4. Call your IT provider. If you don't have one, call your cyber insurance carrier immediately. They will help coordinate response.
  5. Do not pay any ransom. Not yet. Get professional guidance first.

First 24 Hours: Investigation and Communication

  1. Determine scope. What data was affected? How many patients? What information was compromised?
  2. Involve legal counsel. Breach notification has legal requirements. Your attorney needs to be involved in all decisions.
  3. Notify your cyber insurance carrier. Report the incident. Many carriers have breach response teams that can help.
  4. Document everything. Create a timeline. Who discovered the breach? When? What did you do first? This documentation will be critical.
  5. Do not communicate with patients yet. Wait for legal counsel's guidance on notification.
  6. Brief your staff. Let them know what happened (if they haven't figured it out) and what the plan is. Rumors spread faster than information.

First Week: Damage Assessment and Notification

  1. Complete the investigation. Work with your IT provider and forensic investigators to understand the full scope of the breach.
  2. Restore from backup if possible. If ransomware, and you have clean backups, restoration may be possible. Never restore infected backups.
  3. Notify affected individuals. Within 60 days (state law requirements vary; some are faster). The notification must include what happened, what data was compromised, and what individuals should do to protect themselves.
  4. Notify HHS if HIPAA-covered. Report the breach through their portal (for breaches affecting 500+ individuals, notify media too).
  5. Notify your business partners. If the breach affects your vendors' data or your referral partners' patient information, they need to know.

Following Weeks: Remediation and Prevention

  1. Offer credit monitoring. If SSNs or financial information were exposed, offer free credit monitoring to affected individuals.
  2. Determine root cause. How did the breach happen? Unpatched software? Weak password? Phishing? Understanding the cause informs prevention.
  3. Fix the vulnerability. Patch systems. Change passwords. Implement 2FA. Improve backups. Whatever allowed the breach should be fixed.
  4. Update your security practices. Use this as a learning opportunity to improve your overall security posture.
  5. Review your insurance and incident response plan. Make sure both are adequate for the next incident (and there will be a next time).

The Hard Truth

Breaches are expensive. Not just in direct costs (forensics, notification, credit monitoring), but in time, stress, and reputational impact. Every dollar spent on prevention now is a dollar saved in remediation later.

Have your playbook written before you need it. Test it. Practice it. So when (not if) something goes wrong, you have a procedure to follow instead of panic to manage.