How should healthcare organizations communicate with patients after a breach?

“In the first six months of the year, 343 data breaches have been reported to the U.S. Department of Health & Human Services. Organizations are required to notify the department of any breaches of health data affecting more than 500 people to the federal government,” says the Chief Healthcare Executives. Each of those reports represents a massive privacy concern for patients and a test of transparency and accountability for healthcare providers.

What separates organizations that weather these crises from those that falter is how they respond; how a healthcare organization interacts with patients after a breach can determine whether trust is rebuilt or permanently lost.

Why a thoughtful breach response matters

Data breaches are not just technical incidents; they are personal for the individuals affected. Protected health information (PHI) is among the most sensitive types of data, including diagnoses, treatment histories, insurance details, and even Social Security numbers. According to CBNC, “Cybersecurity researcher Jeremiah Fowler said on the dark web, medical records sell for $60 compared to $15 for a Social Security number and $3 for a credit card. Compounding that is the fact that there’s a chronic shortage of staffing.” With such high stakes and limited internal resources, a thoughtful breach response helps protect patients, maintain trust, and meet both ethical and legal obligations.

The consequences of mishandling breach notifications can lead to identity theft and public exposure of confidential medical conditions. Beyond the legal implications, the patient-provider relationship is built on trust. Transparency, empathy, and a proactive approach to mitigation are required to maintain this relationship.

As Sumantra Sarkar, an expert in healthcare data governance at Binghamton University, puts it, “First of all, don’t hide it. Some healthcare organizations actually try to do that from concerns about loss of reputation, profits or employment. But if customers find out, they become really angry. Transparent communication and prompt notification are critical.

They should also provide remediation assistance like credit card monitoring, dedicated support and compensation if a lawsuit is involved. There isn’t much more they can do.”

Read also: How to respond to a data breach

Responding to a data breach

Responding swiftly and strategically to a data breach helps to minimize harm and maintain trust. The U.S. Federal Trade Commission (FTC) outlines a clear, step-by-step process that healthcare organizations can adapt to meet HIPAA obligations and safeguard patient relationships.

Secure your systems

The first priority after discovering a breach is to contain it. “Take steps to prevent further data loss. Move quickly to secure your systems and fix vulnerabilities that may have caused the breach,” advises the FTC. This includes:

• Disconnecting compromised systems
• Changing access credentials and passwords
• Implementing stronger firewalls or access controls
• Preserving forensic evidence by avoiding unnecessary changes to affected systems

For healthcare providers, this also means coordinating with IT and compliance teams to maintain service continuity while investigating the breach.

Fix vulnerabilities

After containment, the next step is to focus on identifying and addressing the root cause of the breach. Was it due to a phishing attack, an unpatched server, or an insider threat?

The FTC states, “Think about service providers—what data do they have access to? What security measures do they have in place?” Steps should include:

• Patching known vulnerabilities
• Reviewing and updating vendor security practices
• Enforcing multi-factor authentication (MFA)
• Reconfiguring or segmenting your network to limit future exposure

Engage a forensic investigator and legal counsel

It is best to bring in cybersecurity experts to determine what happened, what data was accessed, and for how long. Simultaneously, healthcare organizations should consult legal counsel familiar with HIPAA, state laws, and breach notification rules. “You may need to hire independent forensic investigators to ensure an accurate assessment,” the FTC recommends.

An accurate assessment is essential before notifying affected parties or regulators, as it ensures the organization has all the relevant information to notify affected and relevant stakeholders, such as the U.S. Department of Health and Human Services (HHS), of the breach.

Notify the appropriate parties

Once organizations understand the scope, they must notify the relevant stakeholders:

• Patients whose data was exposed
• The HHS Office for Civil Rights (OCR) for HIPAA-covered entities
• State attorneys general, depending on your jurisdiction
• The FTC, if the breach involves consumer health apps or non-HIPAA entities
• Law enforcement, particularly if there is potential criminal activity

“Delay notifying the public if law enforcement determines it would impede a criminal investigation,” the guide adds, but also notes that this should be well documented.

For patient notifications, ensure your communication is clear, empathetic, and contains the required elements:

• What happened
• What information was compromised
• What you’re doing about it
• What steps can patients take
• How to reach you for more information

Offer support and remediation

Providing meaningful help to affected individuals is not only best practice, but it also demonstrates accountability and helps preserve trust. “Consider offering at least a year of free credit monitoring services, particularly if Social Security numbers or financial information was exposed,” the FTC advises.

For healthcare organizations, this could also include:

• Identity theft restoration support
• Dedicated hotlines or case managers
• Instructions on how to place fraud alerts or credit freezes
• Access to IdentityTheft.gov for step-by-step recovery help

Review and refine your response

“Once you’ve recovered from the breach, think about what you can do to reduce the likelihood of another incident,” the FTC encourages.

Key actions may include:

• Conducting staff training on phishing awareness and data handling
• Revisiting access privileges and user permissions
• Performing penetration testing or security audits
• Updating your vendor contracts to include breach response clauses

Why this structured approach matters

By following the FTC’s framework, healthcare organizations can more effectively contain breaches, preserve evidence, restore systems, and, most importantly, reassure patients during a moment of vulnerability. It reinforces trust, reduces harm, and aligns with legal and ethical responsibilities.

Read more: What are the HIPAA breach notification requirements

What should be offered?

After a data breach, healthcare organizations should offer meaningful support to help patients protect themselves. This includes:

• Free credit monitoring (usually for at least one year)
• Identity theft protection and resolution services
• Dedicated hotlines or support teams to answer questions
• Clear guidance on placing fraud alerts or credit freezes
• Assistance with filing identity theft reports, such as through IdentityTheft.gov

What should be done: Episource breach

In February 2025, Episource, a healthcare analytics firm under UnitedHealth’s Optum, suffered a breach affecting 5.4 million people. Hackers stole names, Social Security numbers, insurance IDs, diagnoses, and prescription data.

Steps taken to mitigate the breach

• Systems shut down to contain the breach
• Law enforcement and forensic experts were brought in
• Patients were notified as required by HIPAA
• Free credit monitoring and identity restoration were offered through IDX

This swift, transparent response, paired with tangible support, aligned with HIPAA and helped preserve patient trust.

Go deeper: Episource data breach exposes health records of over 5 million patients

What shouldn’t be done: Frederick Health breach

The ransomware attack on Frederick Health Medical Group, reported in April 2025, impacted nearly 934,000 individuals, exposing sensitive data such as Social Security numbers, medical histories, and driver’s license information.

The breach response strategy seen from the data breach shows what shouldn’t be done: 

• Don’t delay full disclosure: The organization took extensive time confirming details of the compromise, leaving patients in the dark
• Don’t be vague: The lack of clarity around the breach timeline and scope created confusion and distrust
• Don’t stop at minimal support: While credit monitoring was offered, the absence of detailed guidance left affected individuals unsure about next steps
• Don’t downplay the breach: Limited communication and sparse updates failed to show accountability and empathy.

Go deeper: Frederick Health ransomware attack affects nearly 1 million

Common mistakes to avoid

• Delaying disclosure: Patients may hear about the breach through news or social media first, creating distrust and exposing you to regulatory fines
• Minimizing the impact: Language like “only a small number of patients were affected” or “we don’t believe your data was misused” can appear dismissive
• Blaming others: Even if a third-party vendor was responsible, the healthcare provider is ultimately accountable for protecting PHI
• Ignoring emotional impact: Patients may fear stigma, financial harm, or exposure of sensitive information. Organizations must acknowledge this in their tone when addressing the breach
• Failing to follow up: Without continued engagement, patients may feel abandoned after initial notification

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQS

How soon must we notify patients after a breach?

HIPAA requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days after discovering the breach.

What information might have been stolen in a healthcare breach?

Commonly breached data includes names, dates of birth, addresses, Social Security numbers, medical diagnoses, treatment records, insurance policy numbers, and billing information.

Can we be penalized for not handling the breach properly?

Yes. Organizations can face civil monetary penalties and lawsuits if they fail to comply with HIPAA breach notification requirements or act negligently.