With the escalation of cyberattacks, health care organizations should have an incident response plan in place, according to attorneys at Morgan Lewis who developed this data breach checklist. They won’t have time to plan when a ransomware attack or other breach is underway, according to Scott Memmott, Mark Krotoski, and Reece Hirsch. The attorneys recommend tabletop drills, where hospitals “dream up a worst-case scenario and simulate what decision-makers would do and assess the level of preparation,” Hirsch said. Contact Krotoski at mark.krotoski@morganlewis.com, Memmott at scott.memmott@morganlewis.com and Hirsch at reece.hirsch@morganlewis.com.
PHASE I: ALERT AND ORGANIZATION
-
Company alerted to possible data breach—record date, time, and method of alert
-
Notify internal Incident Response Team (IRT), consisting of a representative from
-
Information Technology
-
Legal/Compliance
-
Outside Counsel (Morgan Lewis)
-
Human Resources
-
Public Relations
-
Customer Service
-
Executive
-
-
Identify an Incident Lead for this incident—performs as project manager
-
Contact outside counsel at Morgan Lewis
-
Convene conference call of IRT
-
Consider hiring forensic technology partner depending on available internal resources and complexity of breach
-
Notify insurance carrier/understand scope of preauthorization or limitations on third-party vendor reimbursement
-
Check with counsel on proper role and implementation of the attorney-client privilege in the data breach investigation