Most healthcare entities do not have a plan in place to respond to and handle a cyber breach. There is a lot of confusing information going around – by people who may not be experts. Here are the most common errors made by healthcare organizations when secure data is compromised:

Mistake #1
Hiring an attorney who lacks the right experience.

Retaining an attorney who is not familiar with handling data breaches can end up costing a facility in the long run. Most healthcare facilities have attorneys on retainer and use the same counsel to handle all legal matters pertaining to their business. However, these attorneys may not be familiar with the defense needed or public relations fallout caused by a cyber breach. Hiring the right attorney – meaning someone who knows how to respond to a cyber breach properly and can handle the situation in a timely manner could prevent a lot of expensive missteps.

Mistake #2
Failing to notify authorities
When a cyber breach occurs, it’s simply not enough to send out letters and emails to affected patients notifying them that the healthcare facility has had a secure data breach. The healthcare facility must also notify (depending on the jurisdiction) state and federal regulatory departments. The breach could be a violation of HIPAA laws and not reporting it could cost them major fines and penalties.

Mistake #3
Not managing public trust

The loss of trust caused by a cyber breach often has huge costs to a healthcare facility. The organization’s reputation can become unrepairable if they are not able to expertly mitigate the public relations fallout that may include both mass and social media exposure. Hiring a public relations consultant who is experienced in crisis communications is the smartest thing to do. In-house staff resources may be adequate but are probably not enough to handle the crisis – especially if the story goes viral.

Mistake #4
Failure to implement a discovery process.
The discovery process is always necessary when a breach has occurred. It involves engaging a third-party technology forensic expert, working with in-house IT personnel, going through the facility’s systems and protocols to find out exactly when, where and how the breach happened within the organization. Once it is determined how the breach occurred, the organization needs to revise and fortify its protocols to avoid a recurrence of a data breach event.

Mistake #5
Lack of documentation and policy review.

As a standard practice, healthcare facilities must continually update its company policies and guidelines related to secure data so it can evolve with the changing environment and not only protect all forms of patient data but also their employees’ information as well.


When a secure data breach happens, avoiding these common errors can help provide a strong defense against lawsuits and class-action suits. It’s good practice for the insurance agents of healthcare facilities to continually check in on the healthcare clients to make sure their guidelines and protocols are updated – providing an invaluable service that will give them confidence and trust that you are there when they need you.