Using email to notify patients of a data breach

Email can efficiently notify patients about a data breach due to its speed, scalability, and accessibility. It allows healthcare organizations to quickly reach a large number of affected individuals without delay, ensuring timely communication in a crisis. 

The U.S. Department of Health and Human Services (HHS) makes this requirement clear: “Covered entities must notify affected individuals following the discovery of a breach of unsecured protected health information. Covered entities must provide this individual notice in written form by first-class mail, or alternatively, by e-mail if the affected individual has agreed to receive such notices electronically.” This regulation under HIPAA’s Breach Notification Rule demonstrates that email is an effective notification method and a legally recognized option, provided patients have consented to receive such communications electronically. In addition to meeting compliance standards, email gives healthcare organizations the advantage of speed, cost-efficiency, and widespread reach, ensuring patients are promptly informed in the event of a breach.

Why email is an effective notification method

The number of internet users who use email has grown dramatically. According to Statista, email penetration rates in the U.S. rose from 83.7% in 2013 to 92.4% in 2023. This surge in email adoption reflects the increasing reliance on digital communication across various sectors, including healthcare, business, and personal interactions. As more individuals recognize the convenience and immediacy that email provides, it has become a staple in everyday communication, facilitating everything from appointment reminders to important notifications like data breach alerts. In healthcare, 1%-10% of patients use email to communicate with their healthcare provider between appointments. This existing familiarity makes it an ideal channel for urgent breach notifications.

As stated in the study Email Use Reconsidered in Health Professions Education: Viewpoint, the benefits of email include “its affordability, accessibility, and ability to send accompanying files.” Furthermore, the study notes email’s “simplicity and speediness of communication.” 

Most healthcare providers already communicate with patients via email. In fact, the study E-mail in patient–provider communication: A systematic review, found that “72% of providers reported using e-mail to communicate with patients.” This thus makes email a familiar and reliable communication channel in the industry. However, the way a breach notification is framed in an email can significantly impact how patients perceive the situation and the organization's response.

See also: HIPAA Compliant Email: The Definitive Guide

HIPAA considerations for email breach notifications

Under the HIPAA Breach Notification Rule, “Following a breach of unsecured protected health information, covered entities must provide notification of the breach to affected individuals, the Secretary, and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate,” says the HHS. Individual breach notification “must be provided without unreasonable delay and in no case later than 60 days following the discovery of a breach.”

Elements of a data breach notification email

A well-crafted breach notification email must strike a balance between transparency and reassurance. It should provide clear and concise information about the incident while offering guidance and support to affected patients. Below are the key components to include:

Clear and direct subject line

The subject line should immediately grab the recipient's attention without causing undue alarm. Avoid overly dramatic wording like “Your data has been hacked!!!” Instead, opt for a straightforward approach like:

• "Important notice: Data security incident"
• "Notification regarding your personal information"
• “Update on your patient information security”

The goal is to capture attention, signal urgency, and encourage patients to open the email without inciting panic.

Opening statement

Begin the email with a clear and empathetic statement. Acknowledge the gravity of the situation, and let patients know why you are reaching out to them. For example:

“We are writing to inform you about a recent data security incident that may involve your personal information. Your privacy and security are of utmost importance to us, and we want to ensure you are fully aware of the situation.”

This sets the tone for an open and transparent dialogue, helping to maintain patient trust.

Details of the breach

In the next section, outline the specifics of the breach, including:

• When it occurred: Mention the date or timeframe.
• What happened: Provide a brief, factual account of the incident.
• What data was compromised: Clearly state what types of information may have been exposed (e.g., names, addresses, Social Security numbers, medical records).

It’s important to be honest and direct without overwhelming patients with technical jargon.

See also: What are the HIPAA breach notification requirements 

What actions are being taken

Reassure patients that you are taking the situation seriously and outline the steps your organization is taking to address the breach. These actions could include:

• Engaging cybersecurity experts to investigate.
• Enhancing security protocols.
• Reporting the breach to law enforcement or regulatory authorities.

For example: “We immediately secured our systems and engaged a leading cybersecurity firm to investigate the incident. We are working closely with law enforcement and regulators and have implemented additional safeguards to protect patient information.”

Organizations might also want to inform patients of any preventive measures, such as security updates or system patches, that are being implemented.

Related: Developing a HIPAA compliant incident response plan for data breaches

Potential impact on patients

Provide clear information on the potential risks posed by the breach. This could include identity theft, fraud, or unauthorized access to medical information. Encourage patients to monitor their accounts, credit reports, or other personal information closely for suspicious activity.

Support and next steps

Offer practical steps that patients can take to protect themselves, such as:

• Signing up for credit monitoring or identity theft protection services.
• Changing passwords on online accounts.
• Contacting financial institutions to flag potential fraud.

If your organization is offering free credit monitoring or identity protection services, include detailed instructions on how patients can access these services. 

Contact information

Provide an easy way for patients to get answers. A breach response team should be available via:

• Dedicated phone line with trained staff.
• Email support address specifically for breach-related inquiries.
• Breach information webpage with FAQs and updates.

This reduces patient anxiety and helps manage inquiries efficiently.

Closing

Conclude the email by reiterating your commitment to protecting patient privacy and preventing future incidents. A sincere apology can go a long way toward maintaining patient trust:

“We deeply regret this incident and any inconvenience it may cause. Please know that we are committed to safeguarding your information and will continue to take every necessary step to ensure your privacy and security.”

Read also: How to notify affected individuals of a breach

Best practices for effective email notifications

Beyond compliance, several best practices can help ensure breach notifications are effective:

• Personalization: Address patients by name rather than sending a generic mass message.
• Consistency: Align messaging with updates on your website and social media to prevent confusion.
• Plain language: Avoid legal or technical jargon; patients should clearly understand what happened and what to do.
• Follow-up communication: Send updates as the investigation progresses. Patients appreciate ongoing transparency.
• Internal alignment: Train customer service and front-line staff so they are prepared to answer patient questions consistently.

When patients can’t be reached via email

Breach notifications via email are only as effective as the accuracy and completeness of the patient contact information on file. If a patient has not provided an email address, has opted out of electronic communications, or if emails are returned as undeliverable, healthcare organizations must use alternative notification methods to remain compliant with HIPAA. The Breach Notification Rule, therefore, notes that “If the covered entity has insufficient or out-of-date contact information [including email addresses] for 10 or more individuals, the covered entity must provide substitute individual notice by either posting the notice on the home page of its web site for at least 90 days or by providing the notice in major print or broadcast media where the affected individuals likely reside. 

FAQs

Should breach notification emails be encrypted?

Yes. Notification emails should be sent via a HIPAA compliant email system with encryption to protect patient information and reduce the risk of further exposure.

What if my organization doesn’t know the full details of the breach yet?

Organizations should still send initial notifications within the 60-day timeframe, providing the information available. If more details become clear later, a follow-up or addendum notice should be sent to update patients.

Is it necessary to offer compensation to affected patients?

While not legally required, offering compensation, such as free credit monitoring or identity theft protection services, can demonstrate your organization's commitment to addressing the breach and supporting affected patients. This can help rebuild trust and mitigate potential harm.