Your EHR or practice-management vendor was breached
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.
The first hour
- 1Confirm the incident with the vendor directly (status page, account manager, official notification) — not by social media.
- 2Pull your signed BAA. Note the breach-notification commitments, the timeline obligations the vendor owes you, and what they will and won't pay for.
- 3Inventory what PHI the vendor processes for you. EHR vs PMS vs clearinghouse vs analytics — each may be a separate vendor with a separate scope.
- 4Document the operational impact in writing — scheduling down, claims down, eligibility down — with timestamps. This is the basis for any business-interruption insurance claim.
- 5Move to manual workflows for the most time-sensitive tasks: prior auths in progress, refill requests, urgent-care diversions, lab result callbacks.
- 6Open a line with your cyber insurer. A vendor breach is often covered even when your own systems weren't touched.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Save the vendor's written breach notification — email, PDF, and any status-page screenshots — with timestamps.
- Preserve your signed BAA and any amendments in a dated folder.
- Export your own audit logs of access to the vendor's system for the 90 days before the notification.
- Keep a written log of operational downtime — start time, services affected, workaround used — for the BI insurance claim.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- HHS Breach Notification Rule guidance
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Is the breach our fault if it was the vendor?+
Under HIPAA, the practice (the covered entity) and the vendor (the business associate) each have independent obligations. The BA is liable for the breach; the practice is liable for picking and managing the BA. OCR will look at whether you had a current BAA, whether you did vendor due diligence, and whether you notified patients in time once the BA notified you.
When does our 60-day patient notification clock start?+
From the date your practice discovered the breach — which is typically the date the BA notified you, not the date the vendor's incident began. Save that notification email. If the BA delays, the HHS guidance is that your clock starts when you reasonably should have known.
Can we sue the vendor?+
Often yes, subject to the BAA's limitation-of-liability clause. Most BAAs cap vendor liability at fees paid in the prior 12 months, which rarely covers a real breach. Read the cap before you build a financial recovery plan around it.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
EHR, scheduling, e-prescribing, eligibility, payment posting — all dark while the waiting room fills up. The first hour is patient safety, then operations, then the HIPAA clock.
Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.