Success Story: Patient Privacy Breach Requires Swift, Strong Communications
A national healthcare company suffered a privacy breach that crossed 13 states and compromised thousands of patients’ private health information.
As soon as the security lapse was discovered — it was caused by a system failure of one of its contracted vendors — the company began a full-scale investigation to uncover exactly what happened and what data and which patients were involved.
Not only did the company need to comply with federal and state reporting requirements, it wanted to preserve its relationships and provide immediate help to patients and hospital partners affected by the breach.
We were engaged as part of the crisis team that included operations, legal and regulatory representatives. The team huddled daily to share the latest information and coordinate work streams.
Early on, the company made the decision to be as open and transparent as possible regarding the details of the breach with both internal and external stakeholders.
We created a comprehensive communications plan to notify affected patients and hospital partners, as well as to comply with federal and state regulations on reporting the incident through media channels. Elements included:
- Personal phone calls to each hospital partner with impacted patients to inform them of the situation;
- Detailed and timely communication to affected patients that included an offer for free credit monitoring and an explanation of actions taken to prevent further inappropriate access to their information;
- Comprehensive communications toolkit for hospital partners to assist them in answering questions from patients in their communities; and
- Notification of media in 13 states to comply with federal and state reporting requirements.
By providing timely, detailed information and ongoing support to affected patients and hospital partners, the company was able to blunt long-term consequences of the incident.
Industry trade publications praised the company’s strong response to the crisis, and media coverage was limited and short-lived.
Thanks to significant planning and seamless implementation of the crisis plan, the company was able to promptly address the crisis and return, more quickly than anticipated, to their mission of improving the lives of patients.