When most people think of data breaches, their minds immediately go to financial records, Social Security numbers and the like. Increasingly, however, cyber thieves are setting their sights on health care databases. In February, Health Share of Oregon, the state’s largest Medicaid coordinated care organization, notified 654,000 patients of a data breach after a laptop containing member names, contact information, date of birth, and Medicaid ID numbers, was stolen from its transportation vendor, GridWorks. The theft at Health Share was hardly an isolated incident. Last year alone, dozens of health care providers were impacted by data breaches, including Cancer Treatment Centers of America, Rush University Medical Center and Phoenix Children’s Hospital.
In the third quarter of 2019, the number of breached health care records passed the 38 million mark, nearly 12% of the population, according to the HIPAA Journal. Breaches may be caused by many different types of incidents, including credential-stealing malware, an insider who purposefully or accidentally discloses patient data, and lost laptops or other devices. The potential impact on patients can be significant, as thieves may use the stolen information to obtain prescription medications, open credit card accounts, break into bank accounts, or even blackmail them with sensitive personal details.
When the stakes are high – and regulations are strict – health care organizations must be prepared to respond to this type of crisis. Over the last several years, Chartwell has been called in to help several health care organizations manage data breaches, develop the appropriate messaging, and train internal staff on how to manage questions from the media, patients, and partners. We identify and work within a four-stage approach to crisis communications:
- Breaking News: When dealing with a security breach, it’s crucial to respond quickly. While the C-suite and legal team may want to delay communication until it’s “just right,” time is of the essence. You don’t want to be sending out a letter that begins, “Two weeks ago …” We advise clients to have pre-drafted statements approved by legal and 80% ready to go in the event a data breach occurs. Getting out in front of the issue allows the organization to take control of the narrative, rather than waiting until word leaks out and then scrambling to explain the situation and why impacted parties weren’t notified sooner.
- Drama: Once the media gets wind of a data breach, there will be a concentrated effort to dramatize the situation. Impacted parties will be asked how they feel about the breach and what worries them. This is where it’s important to be consistent, stick to the facts, provide a constant flow of information and set yourself up as the resource for additional information. Above all else, be sure to keep the focus on the impacted parties. Sure, it’s going to require a lot of work on your end to clean up this mess, but this isn’t about you – this is about them. Explain what steps the organization is taking and ensure that all messaging includes concern for the patients whose information has been breached.
- Blame: Whether the breach was the result of an internal error or a lapse in security by a third-party, avoid the temptation to point fingers. Accept responsibility for the breach and keep the focus on the impacted parties. Your patients don’t care who caused the breach. They want to know it’s going to be fixed and you are taking steps to make sure it doesn’t happen again.
- Resolution: When the crisis seems to have passed and you feel like your job is done, think again. A data breach is a very fluid situation and it’s not uncommon to bounce around these four stages for a while. You must continue communicating and be prepared for any surprises that may still come your way. To borrow an analogy from baseball or golf, you have to swing all the way through. Crisis communications is the same. You have to communicate all the way through, beyond resolution, to make sure you’ve closed the loop.
While data breaches are becoming more common, don’t let them stifle your response or stop the other prioritized work you are overseeing. Being prepared allows you to better handle any crisis as well as your daily efforts.