When a major crisis happens in your practice, how you respond can go a long way toward saving or sinking your reputation among your patients and the public. A data breach, in particular, is a difficult crisis to manage since it involves technical (and often legal) aspects that smaller practices may have little formal knowledge of. These events can be so complex and multi-layered that even large global enterprises have difficulty managing them.
Among the largest and highest profile data breaches was the 2017 Equifax data breach. The company’s widely-criticized response to the crisis has been called “a masterclass in bad crisis management” and “haphazard and ill-conceived,” so much so that security and communications experts are still dissecting the company’s response years later. The potential of experiencing a devastating, complex crisis like this make proactive response planning critical.
The Challenges of Responding to a Data Breach
In a crisis like a data breach—especially if it involves patient, personnel, or financial records—your business will face technical, legal, regulatory, and reputational challenges, each involving very different functions within your organization. An effective response requires coordination among many disparate elements: security, legal, HR, IT, communications, and often external organizations and third-party partners. This is not the time for silos.
The Technical Challenge
There are any number of ways a data breach can happen, some nefarious (a criminal hacking into your system or a disgruntled employee downloading data to sell), others accidental (a lost laptop). The first step after discovering a data beach is determining what happened. Losing a laptop containing a few dozen records is serious, but warrants an entirely different response than a criminal hacker exfiltrating your customer database and selling it on the dark web.
Determining what happened often requires technical knowledge and forensic skills that smaller practices don’t have among their staff. If your IT contractor or staff are unable to quickly discover the source of the breach, you might consider hiring a cybersecurity incident response service. A reputable one may also be able to assist in the legal aspects of your response and help develop a communications plan. Consult with your practice attorney or cyber liability insurance carrier for recommendations.
The Legal Challenge
Whether it’s the loss of patient medical and personal records, practice financial information, or personnel files, a data breach that includes sensitive personal data will likely trigger legal obligations. These may include HIPAA breach notifications,FTC and state-level compliance reporting, and ultimately may require litigation defense. It’s a good idea to contact your practice attorney to help assess these challenges before communicating with affected individuals or making public announcements.
The Reputational Challenge
When your patients provide you with the sensitive financial and personal information you need to deliver your services, they entrust you to maintain its privacy and security. When that information is compromised, it’s not just a breach of data but a breach of trust. If you have a good reputation among your patients and your community, they are more likely to be forgiving of a data breach. But if you fail to respond transparently, helpfully, and diligently to address the problem that good will could wane.1
Crisis Communication Best Practices
A data breach is not just a crisis for your practice, it’s also a crisis for the affected individuals and their families who had sensitive details about their lives exposed in ways that could negatively impact their personal and financial lives. This principle should be the “North Star” that guides your efforts. How well you do that in the aftermath of a breach could affect how your reputation survives the crisis. Businesses today can learn from the lessons learned since Equifax’s well-publicized stumbles and other breaches that can help prevent the further erosion of trust and accelerate the rebuilding of your reputation.
Be Transparent
Communicate what you know and can confirm as soon as you can without unwarranted delay.1 The more you delay your response, the more you’ll appear to be stalling.1 Be as transparent and as open as it is prudent to be and put your organization’s leadership front and center. A siege mentality where you hunker down and close ranks may be an instinctual reaction to a crisis but, with your public reputation at risk, it’s not a wise one. Hiding behind vague legal statements and not answering questions will make you appear evasive.1
Be Cautious
Being transparent doesn’t mean being hasty. Share only confirmed information without speculation about causes or motivations, and without promises you can’t guarantee. Given the regulatory and legal implications of a data breach, your legal team should be a close partner in drafting and approving every public statement.2 Be cautious about reporting hard information such as numbers of records before the investigation is complete. Releasing specific but unconfirmed details too early may lead to backtracking later if the information changes. This could lead to confusion or be seen by patients and observers as an attempt to change the narrative.2,3 Seek outside legal counsel or crisis management consultants to assist if needed.2
Be Helpful
In communicating with affected individuals, be as open with information as you can within the guidance your legal team provides and try to anticipate their questions. Focus on how the breach affects them and what you’re doing about it. If certain information can’t be shared (for example, details of an ongoing law enforcement investigation), explain those reasons clearly.3 Avoid even the hint of any strings attached to services you offer to affected individuals. If, for example, you offer free credit monitoring but make it a trial requiring a credit card for activation or sneak a forced arbitration clause into the fine print, your attempted good will likely lead to more outrage as Equifax discovered.1
Be Proactive
Prior to your public announcement, brief your social media team to halt social media posting and turn off all scheduled or programmed posts until a communications plan is in place.1 A harmless social media post scheduled before the breach could be horribly uncomfortable post-breach. Equifax learned this the hard way when a likely unaware customer service employee tweeted “Happy Friday!” the morning of the breach announcement. Be deliberate and coordinated in your communications on all channels to prevent embarrassing stumbles that become their own mini-crisis. Prepare your social media and customer support teams with the information they need to address questions they receive.2 You can restart posting when the time is right with legally approved messaging and links to published communications.
A data breach is a devastating event for a practice and the affected individuals and can lead to reputational harm to your organization. But, with a properly managed response, you can restore your reputation and earn back the trust of your patients and community.
References
1. John F. Fitzpatrick. “Equifax Scores a Failed Rating for Crisis Communications.” Stratacomm. September 8, 2017.
2. Ashley Sawatsky. “What's the Best Way to Communicate After a Data Breach?” Dark Reading. December 20, 2023.
3. Cody Chamberlain. “The Do’s and Don’ts of Communicating a Data Breach.” Security. May 23, 2022.