HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

How to Retain Patients After a Data Breach

Last year, 1 in 3 Americans had their healthcare data exposed. Many Americans will have had their personal information exposed more than once.

While no one wants to have their personal or healthcare information exposed in a data breach, these days it is inevitable that an individual will be affected by a data breach if they allow their data to be stored by a third party such as a healthcare provider or retailer. Sooner or later someone employed by that company will make a mistake that results in data being exposed, or a determined cybercriminal will break through security defenses and steal their sensitive information.

According to a survey recently conducted by data privacy and security firm Morrison and Foerster, American consumers are becoming used to their data being exposed. While they are still very concerned about their privacy, many now understand that no company is perfect. Fewer people are now changing company after a data breach has been suffered, but a significant percentage of individuals will do just that.

What is the Likelihood of Losing Patients/Customers after a Data Breach Has Been Suffered?


When the data privacy and security group conducted a similar survey in 2011, 54% of respondents said they had switched providers/companies because of privacy concerns. The same question was asked at the tail end of 2015, and that number had fallen to 35%. 22% said they had changed provider/company as a result of a data breach in the past 12 months.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

According to Andrew Serwin, Partner of Morrison and Foerster, the survey data show that “Less people are extremely concerned about privacy, but the ones that care, really care.” The individuals most likely to switch were discovered to be those with higher incomes and higher education levels.

While the survey was not conducted solely on healthcare patients, healthcare organizations should take note of the survey results. They give an indication of how patients may react after a data breach is suffered.

Americans Fear Identity Theft After a Breach of Their PII/PHI


Respondents were asked what concerned them the most about a data breach. 52% cited identity theft as being their greatest concern.

If patients are informed personal data have been exposed or stolen, they will be less concerned about whether a healthcare provider has complied with HIPAA regulations, and more concerned about whether they feel the organization did enough to protect their privacy.

In the case of a breach involving a member of staff snooping on records, they may be concerned about whether sufficient controls had been put in place to limit access to data? Had inappropriate access been discovered promptly? Were background checks been performed on employees to determine whether they are trustworthy? Were all staff members received privacy and security training?

It is important to convey this information to patients to let them know that actions had been taken to limit the probability of a data breach occurring. Many breach reports state that companies “take privacy very seriously,” yet scant information is provided in the breach notification letter to back that statement up. 24% of respondents said they understood that no company was perfect, but those individuals may still switch providers/companies if their privacy will be better protected elsewhere.

Tell Patients What They Can Do To Minimize Risk

Given the biggest concern is Identity theft following a data breach, and that cybercriminals are stealing PHI in order to commit identity theft, it is important to provide patients with information they can use to protect their privacy.

A breach notification letter should not only tell breach victims the data that have been exposed, but also what they can do to address the risk of identity theft. A patient who actually suffers identity theft as a result of a data breach is more likely to switch provider/company as a result. They are also more likely to file a lawsuit for damages.

Summary of HIPAA Breach Notification Letter Requirements


HIPAA requires all covered entities to inform patients of the following in a breach notification letter:

  • A brief description of the breach
  • A description of the data types that were exposed or compromised
  • A brief description of how the breach is being investigated
  • Information about how the risk of harm is being mitigated
  • Information about the actions being taken to prevent similar breaches
  • Contact information for the entity handling the breach
  • How affected individuals can mitigate risk and protect themselves from harm

Information to Help Breach Victims Manage the Risk of Harm


The Breach Notification Rule does not specifically state which information should be provided to affected individuals in this regard. This is left up to the discretion of the covered entity in question. In order to allow breach victims to effectively manage risk, consider stating the following in the breach notification letter.

To Obtain and Check Explanation of Benefits Statements from Health Insurers

Breach victims should be told to obtain Explanation of Benefit (EoB) forms if their insurance information has been obtained, exposed, or compromised. These statements explain the medical services that were paid on behalf of individuals.

To Place A Fraud Alerts with Credit Agencies

Contact one of the three main credit monitoring agencies and place a fraud alert, and by law that agency should inform the other two. They will not inform Innovis, the fourth credit monitoring agency. As an additional precaution, consider advising patients to contact each agency. A fraud alert is free of charge and lasts for 90 days, after which it can be renewed. When a fraud alert is placed on credit, a potential creditor should contact the individual before credit is provided.

To Place a Security Freeze on Their Credit

A security freeze blocks all attempts to obtain credit in the name of the victim, regardless of who applies for credit. A credit freeze must be placed with each of the three main credit monitoring agencies: Equifax, Experian, and Trans Union. That credit freeze will remain in place until it is removed by the individual (with a PIN provided when the freeze is placed on the account)

Obtain Free Credit Reports from Credit Monitoring Agencies

By law, each credit monitoring agency is required to provide individuals with a free credit report every 12 months if requested. It is a good idea for breach victims to obtain a credit report to determine whether an identity thief has already used PHI to apply for credit. They should be informed of this as they may not be aware of this right.

Take Action to Prevent Tax Fraud

To prevent tax fraud, breach victims can lock an online IRS account, if they have set one up. This will make it harder for identity thieves to commit tax fraud.

Tell Breach Victims What to Do If Fraudulent Activity Is Suspected

Make it easier for breach victims and provide them information about what they can do if fraud is suspected: Contact law enforcement, place a security freeze on credit, notify their health insurer, file an identity theft report at IdentityTheft.gov.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.