When a major crisis happens at your practice, how you respond can go a long way toward saving or sinking your reputation among your patients and the public.3 A data breach, in particular, is a difficult crisis to manage since it involves technical (and often legal) aspects that you may have little formal knowledge of. The 2017 Equifax data breach and the company’s widely-criticized response is just one example. The potential for devastating, complex crises like this make knowing how to respond after a data breach even more critical.
Security and communications experts will likely be dissecting the Equifax data breach and the company’s response to it for years as a textbook case of what not to do. Investigative cybersecurity reporter, Brian Krebs, called the response from Equifax to the breach the most “haphazard and ill-conceived” he could remember1, despite them having nearly six weeks to plan it between when they discovered the breach (July 29) and when they announced it (September 8). Just a few examples will illustrate his point:
- A likely unaware customer service employee staffing the @AskEquifax customer support Twitter account tweeted “Happy Friday!” the morning of the breach announcement.2
- The web sites Equifax set up to handle communications and public inquiries were varied, confusing and erroneously flagged by security software as fraudulent.1
- Equifax C-level executives sold off millions of dollars’ worth of stock days after the company learned of the breach but well before the announcement, claiming they weren’t aware of the breach.1
- The company asked already untrusting consumers with legitimate identity theft concerns to provide intrusive information (six digits of their social security number instead of four) to check whether their information was compromised3 and returned conflicting answers depending on when and from which device a consumer accessed the web site1.
The list could go on with reports of Equifax stumbles during this crisis, but more important for your practice is what you can learn and how you can apply it to prepare for a breach.
The Challenges of Responding to a Data Breach
In a crisis like a data breach — especially if it involves medical records — your practice will face several very different challenges, each involving very different functions within your organization, and often external organizations and third-party partners. An effective response requires coordination across your organization — security, legal, HR, IT, communications, and external partners. This is not the time for silos.4
The Technical Challenge
There are any number of ways a data breach can happen, some nefarious (a criminal hacking into your system or a disgruntled employee exporting data to sell), others inadvertent (a lost laptop or improper records disposal). The first step after discovering a data beach is determining what happened. This will go a long way toward directing your initial response. Losing a laptop containing a few dozen patient records is serious, but may warrant an entirely different response than a criminal hacker or former employee stealing your EHR database and selling it on the dark web. The former may demand a limited response with targeted communications to affected patients (and the subsequent reputation repairing) and fulfilling compliance obligations. The latter is likely to make headline news, requiring a more comprehensive response.
Except in obvious cases like a lost laptop or misplaced paper records, determining what happened often requires technical knowledge and forensic skills that many practices don’t have among their staff. If your IT contractor or staff are unable to quickly discover the source of the breach, you might consider hiring a cyber incident response service. A reputable one will have the skills and experience to undertake a forensic investigation, and may also be able to assist in the communications and legal aspects of your response. Consult with your business attorney or cyber liability insurance carrier for recommendations.
The Legal Challenge
Whether it’s the loss of client financial information, personnel files, or patient records, a data breach that includes sensitive personal, medical and financial information will trigger legal obligations such as reporting and notifications and may potentially require litigation defense. It’s a good idea to contact your business attorney to help assess these challenges before communicating with affected patients or making public announcements.
The Reputational Challenge
When your patients provide you with the highly sensitive medical, financial and personal information you need to deliver your services, they entrust you to maintain its privacy and security. When that information is compromised, it’s not just a breach of data but a breach of trust. If you have a good reputation among your patients and your community, they are more likely to be forgiving of a data breach. But if you fail to respond transparently, helpfully and diligently, to address the problem that tendency toward forgiveness can wane.3
Crisis Communication Lessons from the Equifax Breach
A data breach is not just a crisis for your practice, it’s also a crisis for the affected individuals and their families who had sensitive details about their lives exposed that could potentially be used for nefarious purposes in ways that negatively impact their personal and financial lives. This principle should be the North Star that guides your efforts.4 How well you do that in the aftermath of a breach will affect how your reputation survives the crisis.
There are lessons your organization can learn in this regard from Equifax’s well-publicized stumbles that can help prevent the further erosion of trust and accelerate the rebuilding of your reputation.
Communicate what you can as soon as you can without unwarranted delay. There will necessarily be some time needed between the discovery of the breach and your announcement as you investigate what happened and what needs to be done.3 However, the more you delay your response, the more you’ll appear to be stalling. Bad news is often best delivered all at once rather than the slow drip that extends the news cycle.3
Be as transparent and as open as it is prudent to be and put your organization’s leadership front and center. A siege mentality where you hunker down and close ranks may be an instinctual reaction to a crisis but, with your public reputation at risk, it’s not a wise one. There will be things you can’t or shouldn’t say, but hiding behind vague legal statements and not answering questions will make you appear evasive as it did Equifax.3
Being transparent doesn’t mean being hasty. Initial communications in the immediate aftermath of the breach — even while your investigation is ongoing — should simply be what one crisis communicator calls a media holding statement: “Acknowledge the incident, share the steps the organization has taken to remediate the issue (so far), offer any true assurances about partnering with industry experts or the FBI/Secret Service, and a stated commitment to ensuring the protection of employee/customer information.”4
Since details are likely to change as your investigation progresses, be cautious about reporting hard information such as numbers of records before the investigation is complete. Releasing such details too early could require corrections later and make your organization seem like it doesn’t know what it’s doing. Focus your initial messaging on what’s being done to investigate the issue.4
In communicating with affected individuals, don’t obsess over technical details. Focus on how the breach affects them and what you’re doing about it.4 When providing these solutions, avoid even the hint of any strings attached to solutions you provide affected patients.3 For example, if you offer a free year of credit monitoring because financial data was included in the breach, don’t offer it as a trial requiring a credit card for activation (which will seem exploitative), and don’t try to sneak legal disclaimers into the fine print such as the forced arbitration clause Equifax included in their credit monitoring offering, which Equifax quickly dropped only after the reputational damage was already done by the negative publicity.3
In a crisis, your reputation will be made or unmade online, especially on social media. Prior to your public announcement, brief your social media team and turn off all scheduled or programmed posts.3 Be deliberate and coordinated in your communications to prevent embarrassing stumbles that become their own mini-crisis like that of the unfortunate customer service representative at Equifax. It’s important, also, to be aware of public perceptions of the breach and your company. Have your social media and communications team monitor both social and traditional media platforms to help inform and guide your ongoing response strategy.4
A data breach is a devastating event and can lead to reputational harm to your practice. But, with a properly managed response, you can restore your reputation and earn back the trust of your patients and community.
1. Krebs, B. “Equifax Breach Response Turns Dumpster Fire.” Krebs On Security. 9/8/2017. (accessed 10/13/2017)
2. DePaolo, J. “Equifax Slaughtered on Twitter For Wishing Customers ‘Happy Friday’ After Data Breach.” Mediaite. 9/8/2017. (accessed 10/13/2017)
3. Fitzpatrick, J. “Equifax Scores a Failed Rating for Crisis Communications.” Stratacomm. (accessed 10/13/2017)
4. Santarcangelo, M. “What Security Leaders Need to Know about Breach Communication.” CSO. 11/20/2015. (accessed 10/13/2017)