A prescriber's EPCS credentials or hard token were compromised
DEA 21 CFR Part 1311 applies on top of HIPAA. The prescriber's DEA registration is on the line — revocation or suspension is possible in addition to any HIPAA breach implications. The playbook nobody else publishes.
The first hour
- 1Suspend the prescriber's EPCS signing capability immediately (Surescripts: Prescriber → EPCS Status → Suspend; DrFirst: Provider → EPCS → Disable; equivalents in athenahealth, eClinicalWorks, Epic).
- 2Notify the prescriber. The DEA registration is theirs personally — they must be in the room for every decision from this point forward.
- 3Pull the EPCS audit log for the last 30 days: prescription, drug, quantity, patient, pharmacy, and the authentication factors used at signing.
- 4Look for drugs the prescriber does not normally write, quantities outside the normal range, unfamiliar pharmacies, and patients not recently seen.
- 5Call any pharmacy that received a suspect script and ask them to suspend dispensing pending verification. If a script has already been dispensed, the patient may be a fraud victim and needs to be contacted.
- 6Document which factor was compromised (something-you-know vs something-you-have) and which factor remained intact. Engage the DEA-registered EPCS application provider — they have third-party audit obligations under 21 CFR 1311.
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- 30-day EPCS audit-log export with the authentication factors recorded per signing event.
- Pharmacy call log: pharmacy contacted, prescription, action taken, time, person spoken to.
- Documentation of which authentication factor was compromised and how it was discovered.
- Re-credentialing record under 21 CFR 1311.105 from the Credential Service Provider, with the proofing-event timestamp.
- Written analysis of whether PHI was accessed during the compromise (e.g., the attacker browsing charts to pick refill targets).
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- DEA Diversion Control Division
- HHS OCR Breach Portal (if PHI was accessed)
- State medical-board directory (FSMB)
- State board of pharmacy (for pharmacy-side coordination)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
Do we have to notify the DEA?+
If the compromise resulted in controlled-substance diversion or attempted diversion, yes — notify the DEA Diversion Control Division. The notification is a judgment call informed by the audit log and the pharmacy investigation. When in doubt, the panel attorney from your cyber insurance carrier should be in the loop.
Can the prescriber just reset their password and resume?+
No. The DEA's identity-proofing requirement under 21 CFR 1311.105 means the prescriber must complete re-proofing through a Credential Service Provider at the appropriate assurance level before signing resumes, and the EPCS application provider must record the event.
Is this also a HIPAA breach?+
Yes if the attacker accessed PHI in the course of the compromise — for example, browsing charts to pick targets for fraudulent prescriptions. Coordinate the DEA notification and the HIPAA notification carefully; the language and audiences are different, and the panel attorney will keep them aligned.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
The attacker is using the portal to view PHI, send refill requests (especially for controlled substances), or impersonate the patient in messages. Triage, contain, and figure out whether this is one account or many.
The incident is contained. Now sequence the carrier-mandated IR vendor with the OCR portal, the state AG filings, and the patient notifications. Small practices stumble here on sequencing, not on the work itself.