This “Data Breach Response – How To” article is part of our larger series by Heather Noonan.
One of the critical questions with a healthcare data breach is the question of who was affected. Were their minors, elderly, HIV or cancer patients, pregnant mothers, high profile clients, employees; the list can go on and on as you can see. Could some of these individuals be deceased? Will you need to notify their next of kin or spouse? Will you be notifying parents, foster parents, or guardians? Will you have to notify Mother Hen that you lost her baby chicks personal information? These are all important factors that can lay out a positive experience or a very difficult one. Trust me, I’ve seen the difficult ones and it isn’t fun for anyone.
Once you figure out who is has been affected, you will want to decide how you want to address them. Do you want to send the same letter or do you want to send specific letters to specific groups? The letter to your high profile clients might not be the best letter for the elderly or the minors. On the other spectrum, you also don’t want to mail out 10 letter versions and cause more confusion and anxiety for you, your company, and the regulating state and federal bodies.
Try to think of the highest common denominator. Think of Mother Hen. She wants to hear that you are sorry and how you are going to fix this problem she was unprepared for. She doesn’t want to hear how the company is failing and that you had no idea a hacking ring was infiltrating your network servers. She could care less.
So make it easy on yourself. Think of these things before you shoot at the hip and run at full speed. Remember, these are real people and a slow, thoughtful approach is going to have a much better outcome. A positive outcome and experience, not a difficult one.
Senior Project Manager-Data Breach Response Team