How to respond to a data breach

Organizations of all sizes face the threat of cyberattacks as attackers target sensitive data such as personal information, financial records, and healthcare data. In fact, according to Statista, “In the second quarter of 2025, nearly 94 million data records were leaked in data breaches, impacting millions of individuals worldwide.”

The consequences of a breach can include financial losses, operational disruption, regulatory penalties, and reputational damage. Research by IBM shows that the global average cost of a data breach is about $4.4 million. The report also notes that while organizations of every size and industry are vulnerable to breaches, the severity of these incidents and the costs to remediate them may differ. What's even more concerning is that many breaches may take months to detect and contain, which increases the damage and recovery costs. As IBM states, “it takes an average of 241 days to identify and contain an active breach across all industries.”

Given these risks, every organization must have a clear and effective response plan for handling data breaches.

What are HIPAA data breaches in the healthcare context?

HIPAA data breaches occur when there is an unauthorized disclosure of protected health information (PHI), which encompasses a wide range of sensitive health-related data, such as medical records, billing information, insurance claims, and more.

Under HIPAA, healthcare organizations and their business associates must protect PHI from unauthorized exposure. The Department of Health and Human Services (HHS) defines a breach as “an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information.” Additionally, HIPAA presumes that any impermissible use or disclosure of PHI is a breach unless the covered entity or business associate can demonstrate that there is a low probability that PHI has been compromised. To determine this, organizations must conduct a risk assessment considering the following factors:

• The nature and extent of the PHI involved
• The unauthorized person who accessed the PHI or received the disclosure
• Whether the PHI was actually acquired or viewed
• The extent to which the risk to the PHI has been mitigated

These factors help healthcare organizations determine whether a security incident rises to the level of a reportable HIPAA breach and what steps must be taken to respond appropriately.

See also: What small healthcare practices get wrong about HIPAA and email security

The importance of preparedness

Although preventing cyberattacks is a major priority for most organizations, prevention alone is not sufficient. Cybersecurity experts increasingly emphasize preparing for breaches before they occur. The Canadian Insurance Services Regulatory Organizations (CISRO) notes that “use of technology… comes with the responsibility of safeguarding it from unauthorized access.”

As the CISRO’s Cybersecurity Readiness article explains, “being proactive in implementing appropriate measures is key to preventing cyber incidents that could compromise or lead to the theft of client information and to mitigate its impact on both the intermediaries and their clients.” This shows that cybersecurity isn’t only about preventing incidents but also about limiting the damage when they happen.

Preparedness matters because:

Prevention and early detection reduce harm

According to the article, “being proactive in implementing appropriate measures is key to preventing cyber incidents” that could compromise data. This means that readiness, including regular vulnerability assessments, training, and system monitoring, can reduce the likelihood of breaches or detect them early, before they escalate.

Everyone plays a role

The article notes that the workforce should also understand cybersecurity policies and practice good habits such as using strong passwords, keeping devices updated, and being alert to suspicious activity. This cultural element reduces the likelihood of breaches and enhances the reaction when they do occur.

Effective response limits damage

CISRO recommends that intermediaries develop such a plan, appoint a response team, and “establish a communication protocol in writing to guide the response team in evaluating what information may need to be shared with stakeholders, regulators, or law enforcement.” Having these steps documented ahead of time can reduce the confusion and delay that often follows a breach, limiting operational disruption and reputational harm.

Regulatory and legal readiness

Organizations that prepare for breaches in advance are also better equipped to meet legal and regulatory obligations. CISRO’s guidance notes that response plans should consider reporting obligations under applicable privacy legislation and should ensure that communications are timely and appropriate. This is especially important in regulated sectors like healthcare and insurance, where regulators expect breach preparedness and may impose penalties for failures in response or notification.

Continuous learning and improvement

Finally, CISRO notes that breach preparedness isn’t a one‑time activity but an ongoing process. The guidance recommends that organizations stay up‑to‑date with evolving threats and continually review their practices. Over time, this continuous preparedness increases resilience and helps organizations adjust to emerging threats and attack techniques.

Read also: What is cyber-preparedness?

Steps to respond to a HIPAA data breach

When a potential HIPAA breach occurs, healthcare organizations must act quickly and follow a structured response process to limit harm and remain compliant with privacy regulations. Guidance from Holland & Hart LLP outlines practical steps organizations should take to address breaches involving PHI. These include:

Stopping the breach immediately

The first step is to contain the incident and prevent further exposure of PHI. According to the guidance, “Immediate action may help avoid or mitigate the effects of a breach.” Organizations should terminate improper access to PHI, retrieve information that was improperly disclosed, and obtain assurances that recipients will not further use or disclose the data.

Notify the privacy officer

Once a breach is discovered, staff should promptly notify the organization’s designated privacy officer. HIPAA requires covered entities to appoint a privacy officer who has the expertise to investigate and respond to incidents. The article notes that employees should report breaches quickly because “deadlines for responding to breaches generally run from the date that anyone in the organization knew of the breach.” Early reporting ensures that the organization can begin the investigation and meet regulatory timelines.

Respond promptly

The guidance emphasizes that “swift, appropriate action is critical” for several reasons. Prompt responses help organizations mitigate the effects of the breach, prevent additional violations, and meet HIPAA’s requirement that breach notifications be provided “without unreasonable delay.” Acting quickly can also help reduce regulatory penalties if violations are corrected promptly.

Investigate the incident

Organizations must investigate to determine what happened and whether the breach is reportable. This investigation should confirm the “who, what, when, why, and how” of the incident by speaking with the individuals involved and reviewing relevant evidence. The investigation should also determine the nature and scope of the PHI that was accessed, used, or disclosed.

Mitigate the effects of the breach

HIPAA requires organizations to take steps to reduce the harm caused by a breach. As the article explains, covered entities must “mitigate any harmful effects of a breach to the extent practicable.” Mitigation measures may include retrieving or deleting improperly disclosed information, changing passwords, remotely wiping devices, or warning recipients about penalties for further disclosure. In some cases, organizations may also provide credit monitoring or other protective services to affected individuals.

Correct the underlying problem

Beyond addressing the immediate breach, organizations should fix the root cause of the incident. This may look like updating policies, improving technical safeguards, or providing additional employee training. The guidance notes that organizations may avoid certain HIPAA penalties if they correct the problem within 30 days and demonstrate that the violation did not result from willful neglect.

Apply appropriate sanctions

HIPAA also requires organizations to enforce sanctions against employees who violate privacy policies. The article states that covered entities must “have, apply, and document appropriate sanctions” against workforce members who mishandle PHI. Depending on the severity of the violation, sanctions may range from additional training to suspension or termination.

Determine reporting obligations

Finally, organizations must determine whether the incident qualifies as a reportable breach. Under the HIPAA Breach Notification Rule, entities must report breaches involving “unsecured PHI” to affected individuals and relevant authorities when required. Notifications must include information about the breach, the types of PHI involved, and steps individuals can take to protect themselves.

Read more:

• How healthcare organizations respond and recover from data breaches
• HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

How quickly must organizations respond to a HIPAA breach?

Organizations must respond to a HIPAA breach without unreasonable delay. If the breach is confirmed and involves unsecured PHI, affected individuals must generally be notified within 60 days of discovering the breach. Larger breaches affecting 500 or more individuals must also be reported to regulators within the same timeframe.

How can healthcare organizations prevent HIPAA breaches?

Organizations can reduce the risk of HIPAA breaches by implementing strong cybersecurity practices such as encrypting sensitive data, using multi-factor authentication, conducting regular security training for staff, and performing risk assessments to identify vulnerabilities.

What types of incidents can lead to a HIPAA breach?

Several incidents can lead to a HIPAA breach, including phishing attacks, stolen or lost devices containing patient information, unauthorized employee access to medical records, ransomware attacks, and accidental disclosures such as sending patient data to the wrong recipient.