Skip to main content
All playbooks
Playbook

A prescriber's EPCS credentials or hard token were compromised

DEA 21 CFR Part 1311 applies on top of HIPAA. The prescriber's DEA registration is on the line — revocation or suspension is possible in addition to any HIPAA breach implications. The playbook nobody else publishes.

Last reviewed: May 2026

The first hour

  1. 1Suspend the prescriber's EPCS signing capability immediately (Surescripts: Prescriber → EPCS Status → Suspend; DrFirst: Provider → EPCS → Disable; equivalents in athenahealth, eClinicalWorks, Epic).
  2. 2Notify the prescriber. The DEA registration is theirs personally — they must be in the room for every decision from this point forward.
  3. 3Pull the EPCS audit log for the last 30 days: prescription, drug, quantity, patient, pharmacy, and the authentication factors used at signing.
  4. 4Look for drugs the prescriber does not normally write, quantities outside the normal range, unfamiliar pharmacies, and patients not recently seen.
  5. 5Call any pharmacy that received a suspect script and ask them to suspend dispensing pending verification. If a script has already been dispensed, the patient may be a fraud victim and needs to be contacted.
  6. 6Document which factor was compromised (something-you-know vs something-you-have) and which factor remained intact. Engage the DEA-registered EPCS application provider — they have third-party audit obligations under 21 CFR 1311.

Evidence to preserve

What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.

  • 30-day EPCS audit-log export with the authentication factors recorded per signing event.
  • Pharmacy call log: pharmacy contacted, prescription, action taken, time, person spoken to.
  • Documentation of which authentication factor was compromised and how it was discovered.
  • Re-credentialing record under 21 CFR 1311.105 from the Credential Service Provider, with the proofing-event timestamp.
  • Written analysis of whether PHI was accessed during the compromise (e.g., the attacker browsing charts to pick refill targets).

The HIPAA breach clock

The breach-notification clock starts at discovery. Federal HHS deadline is 60 days; many states are faster.
HHS / patient (federal)
September 5, 2026
60 days from discovery
CA / FL / others
August 6, 2026
30-day state floor
NY / others
August 21, 2026
45-day state floor

Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.

Regulator contacts

Frequently asked

Do we have to notify the DEA?+

If the compromise resulted in controlled-substance diversion or attempted diversion, yes — notify the DEA Diversion Control Division. The notification is a judgment call informed by the audit log and the pharmacy investigation. When in doubt, the panel attorney from your cyber insurance carrier should be in the loop.

Can the prescriber just reset their password and resume?+

No. The DEA's identity-proofing requirement under 21 CFR 1311.105 means the prescriber must complete re-proofing through a Credential Service Provider at the appropriate assurance level before signing resumes, and the EPCS application provider must record the event.

Is this also a HIPAA breach?+

Yes if the attacker accessed PHI in the course of the compromise — for example, browsing charts to pick targets for fraudulent prescriptions. Coordinate the DEA notification and the HIPAA notification carefully; the language and audiences are different, and the panel attorney will keep them aligned.

Need to walk through this with someone?

Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.

This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.