How Much Time Before Notifying a Breach?

I hope that there is something in place to understand when a breach occurs, but assuming there was a breach – and you found out. When should you notify?

So let’s assume you are in Health Industry and protect the PHI or {Personal health information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.  (definition from Google)}   then when should the breach be notified to the various people in your database?

An old post at says right away the breach must be investigated immediately.  BUT one does not automatically know that a breach occurred,  so we have to develop a process to uncover breaches.


  1. Breach was found or suspected
  2. Risk Analysis of Breach – if it occurred – what happened?
  3. Determine level of risk
    1. if low: Document, fix and move on
    2. if something else including high – prepare to notify the breached data PHI owners.

When Breach notification must occur:

  • Brief description of the breach, including dates.
  • Description of types of unsecured PHI involved.
  • Steps the individual should take to protect against potential harm.
  • Brief description of steps you have taken to investigate the incident, mitigate harm, and protect against further breaches.
  • Your contact information.



There are many types of breaches – as in Health field if a person sees data that should not have – this is a HIPAA breach. But in this type of breach it may be handled internally. And if the employee or contractor was rebuked and reminded this data is not for worldly consumption  this is a Low risk.

On another case if the breach is a laptop was lost and had patient data then this is a notification event.  Every case is different.

There are many potential scenarios, and I cannot list all the types of breaches in health care and other industries. Data with Social security numbers and addresses are important. Knowing when to notify in your incident response plan is also important. You don’t want to be developing these plans when there is a problem. Unfortunately every company that uses credit card information needs this Incident Response(IR) eventuality.

  • HIPAA breaches
  • PCI breaches
  • SS#’s and other information
  • Privacy data of your customers
  • other data (employee hiring records)
  • other payroll data
  • Data that somebody can use to sue you


we cannot predict how this regulatory environment will change in the future, but it is safe to say that even if regulation is reduced, an enterprising lawyer will take you to court if nothing was done.



So it is better to get started on an Incident response plan.

Contact us today.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.