A laptop, tablet, phone, or USB with patient data is missing
If the device was encrypted and you can prove it, HIPAA's safe-harbor provision often means no breach notification. If you can't prove encryption, the law presumes a breach.
The first hour
- 1Write down exactly what's missing, where it was last seen, and what PHI it could have held — including locally cached email and downloaded reports.
- 2Pull encryption evidence from the management console: BitLocker / FileVault status, MDM enrollment, last successful encryption check-in. Screenshot it now.
- 3Remote-wipe through MDM if available. Do this before declaring the device lost — wipe commands queue until the device comes online.
- 4Change credentials for every account that was signed in on the device. Force a new MFA enrollment.
- 5File a police report if theft is suspected. The report number is useful for insurance and sometimes for state notification.
- 6Open the breach assessment in writing: what PHI, how many patients, encrypted-and-proven (safe harbor) or not (presumed breach).
Evidence to preserve
What not to delete, what to screenshot, what to log. Do this before recovery starts — most of it disappears as soon as systems are rebuilt.
- Screenshot the MDM / BitLocker / FileVault console showing encryption status and last successful check-in for the missing device.
- Export the device's last sync, last login, and any locally cached email or file list.
- Save the police report number if filed.
- Document the four-factor breach risk assessment in writing — nature of PHI, who took it, was it accessed, mitigation steps.
The HIPAA breach clock
Breaches affecting 500+ patients in a single state are reported to HHS and media immediately, not within 60 days. Confirm state-specific timelines with counsel.
Regulator contacts
- HHS OCR Breach Portal
- HHS encryption / safe-harbor guidance
- State AG breach notification (varies by state)
- Your cyber insurer hotline: add your carrier's 24/7 IR phone number here and post it at the front desk. Most claims require notice within 72 hours.
Frequently asked
What counts as 'encryption' under HIPAA?+
HHS specifies NIST-approved algorithms (effectively AES-128 or stronger) applied to data at rest. The key cannot be on the same device unprotected. BitLocker with a TPM, FileVault with a strong password, and a properly configured MDM-enforced encryption profile all qualify. A password-protected document is not encryption under the rule.
Do we have to notify if we're sure no data was accessed?+
Not always. The Breach Notification Rule allows a four-factor risk assessment: nature of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and the extent of risk mitigation. Document the assessment. If the conclusion is 'low probability of compromise' and you can defend it, notification may not be required.
Does a phone with the EHR app count?+
Yes, if the app caches PHI or stores credentials. Most modern EHR mobile apps cache. Treat the phone the same as a laptop.
Free first call. If we're the right fit, we'll tell you. If we're not, we'll tell you that too.
This page is general guidance, not legal advice. Reading it does not create a Business Associate relationship with HackFirstAid. See scope of use.
Related playbooks
Once inside, attackers send spoofed records requests, payroll-redirect emails to the practice administrator, and patient-impersonation messages aimed at controlled-substance refills.
Change Healthcare is the archetype. When the vendor is down or breached, the practice is still the covered entity in the eyes of OCR — and the patients still expect their refills.