What to Do When Your HIPAA Data Has Been Breached

Surge in Hacking Incidents: Malware and Ransomware Breaches Double in 2017

The 2017 statistics regarding breaches of protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) are in, and the story the numbers tell is sobering. In total, the year saw 477 breaches affecting nearly 5.6 million patient records. This means there was more than a breach per day for the entire year. And cybersecurity software firms predict that 2018 could very well see similar numbers — despite efforts to make healthcare institutions and their employees more aware of HIPAA data breach best practices.

Investigations into the breaches revealed that the single largest reported breach in 2017 was due to wrongdoing by an insider. In this instance, a hospital worker improperly accessed nearly 700,000 patients’ personal billing information. And when you combine insider wrongdoing with insider error, a total of 37 percent of the year’s breaches wind up being the responsibility of insiders.

But what far outweighs any breach statistics related to insiders is the news that reported incidents of hacking that involved malware and/or ransomware doubled from 30 instances in 2016 to 64 instances in 2017. And while some people argue that the numbers are misleading due to better reporting by health institutions, the risk remains very real.

HIPAA Data Breach Reporting Time Improves, but Fines Loom for Organizations Exceeding 60-Day Limit

Perhaps the statistic that pertains most to how to handle a HIPAA data breach is the fact that it took HIPAA-compliant organizations an average of 344 days to report a breach in 2016, while in 2017 that average dropped to 73 days. Of course, it’s good news that organizations are reporting data breaches more quickly to the U.S. Department of Health and Human Services (HHS). Nevertheless, it needs to be noted that the average of 73 days is still beyond the 60-day limit for reporting large breaches, after which civil penalties and monetary fines can be levied.

As an aid to healthcare organizations, the HHS provides online HIPAA Basics For Providers: Privacy, Security, and Breach Notification Rules. This contains clear explanations of the rules as well as good resources for further reading. But as a warning to organizations that might not take the rules seriously enough, it reports that when two HIPAA-covered organizations wrongly shared 6,800 personal health records online — including individuals’ medications and lab results — the organizations were fined $4.8 million and had to agree to take corrective plans of action. In addition, when a hospital worker pleaded guilty to attempting personal gain from illegally obtained PHI, that former worker faced a maximum 10-year prison sentence.

What to Do When HIPAA Data Has Been Compromised

Clearly, no institution wants to be faced with the question of how to handle a HIPAA data breach. But besides taking every precaution to avoid one in the first place, knowing what to do when HIPAA data has been breached can be one of the most important action plans an organization can put into place to guarantee its long-term survival and keep its patients’ trust through difficult times.

In the event that your organization believes its PHI may have been compromised, it’s advisable to take the following steps when recovering from a HIPAA hack and/or data breach:


If you’re in the healthcare business, you don’t need to be reminded that every complaint needs to be taken seriously. And when it comes to a possible breach of patient data, you must conduct an investigation and risk assessment as soon as possible. The primary factors you need to determine have to do with the amount and type of information breached, the number of patients potentially affected, and whether the information was likely ever received and/or used by any outside parties. Each of these factors is important in determining whether a breach, and therefore a violation, under the HIPAA rules actually occurred. Be warned: Never take shortcuts or delay an investigation because the facts you’re uncovering are unpleasant.


How and to whom you communicate a possible breach partially depends upon what your investigation uncovers. Of course, for a HIPAA breach of any size, you’re expected to inform all patients, employees and business partners directly affected. In addition, following HHS rules, if you have a breach that affects fewer than 500 individuals, you are expected to report the breach to the Office for Civil Rights (OCR) “within 60 days of the end of the calendar year in which the breach was discovered.” If, however, your breach affects 500 or more individuals, you are expected to fill out an electronic report to the OCR “without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach.” For breaches of this size, you’ll be asked to describe your damage control plans. Also, you’re required to report a large breach to the media, prior to which you are highly advised to retain the services of a PR firm. Just remember that crisis messaging does not equal crisis management — good communication is better than no communication!


Regardless of the size of the breach, your organization needs to conduct a review. This way, you can determine exactly where improvements can be made. In case of a large breach, the steps you take to correct breaches in the future will form an integral part of your report to the OCR. It should also be noted that the drive and timeliness with which you undertake this review can help mitigate potential fines and penalties. No matter how your breach occurred, you must institute a secure document management system.

Softlinx Helps Those Looking to Prevent a Future Data Breach

Remember: Moving forward from any data breach usually means establishing smarter document handling protocols. At the same time, any good data management system must also allow your business to grow and remain responsive to your clients’ needs. For these reasons, as well as for cost-efficiency, you may want to learn more about our HIPAA-compliant cloud faxing service. Simply contact us or schedule a live demo, or call (800) 899-7724 to speak with a Softlinx representative.

Share This Post