Once you have discovered a breach occurred what do you do? Remember: the acquisition, access, use, or disclosure of PI in a manner not permitted by law is an apparent breach unless the agency can demonstrate that it is not reasonable to believe that the PI has been compromised based on a risk assessment of at least the factors below.
Determine the nature and extent of PI involved, including types of identifiers and ability to identify individuals:
- Low: The information is publicly available information that is lawfully made available to the public from federal, state, or local government records
- Moderate: The information is comprised of demographic or administrative information that could be used to identify individuals but not sensitive or specially protected
- Ex: The information lists names with services that does not involve other PI or is not related to sensitive specially protected services such as mental health or chemical dependency etc.
- High: The information includes elements that could be used for identity theft, records that are highly sensitive or personal, and are protected by heightened confidentiality laws.
- Ex: Information that identifies names or other unique identifiers tied with social security numbers, driver’s license numbers, financial account numbers with passwords, mental health or chemical dependency treatment records, and IRS and social security records.
Determine the nature of the person who acquired, accessed, used or received the PI:
- Low: Limited or no risk of re-disclosure of information by recipient.
- Ex: Employee of another agency or trusted contractor: recipient required by law to maintain confidentiality such as attorney/client privilege or law enforcement; recipient subject to confidentiality laws and confirmed did not access data or returned data intact and did not retain copy.
- Moderate: Moderate or unknown risk of disclosure.
- Ex: when information is lost or missing and may not have been accessed; it is unclear or unknown whether recipient accessed or retained data; recipient returned information; and recipient was not subject to confidentiality law but acting in good faith.
- High: There is a severe risk of disclosure and recipient likely to re-disclosure, sell, or transfer data or is known to have used PI for malicious purposes.
- Ex: Acquisition was because of a criminal act including theft or hacking or information was obtained by a person with retaliatory motives.
Risk: Determine whether PI was actually accessed or acquired or viewed by unauthorized individual:
- Low: No proof of access or acquisition of PI. Would be difficult or unable for individual to access personal information without sophisticated or extreme measures and individual had limited opportunity or ability to do so, or able to demonstrate lack of access through technical assessment.
- Moderate: Unknown whether individual acquired access to PI or whether known individual acquired PI in a manner that could be replicated. Technical assessment of access shows limited access or is inconclusive. The means to access data is commonly known or available.
- High: It is known or reported that access to PI was acquired, used, sold, or further disclosed for malicious purposes.
Take steps to mitigate the results of the breach
Ex: confirmed confidential information sent to the wrong recipient was returned or destroyed or policies and procedures were modified as a result of incident.
- List a brief description of mitigation steps, person/entity responsible for breach, and target or date of completion.
- After implementing mitigation steps, re-assess the remaining risk to personal information:
- Low: All corrective actions have been taken and risks of future occurrences has been removed or reduced to acceptable level.
- Moderate: some corrective actions has been taken but other reasonable steps cannot be implemented due to cost or other factors.
- High: significant risk of continuing compromise of PI remains despite mitigation.
Rate your Risk
For each Risk Assessment Questions above create a chart and enter your risk rating (e.g. low, moderate, high).
- There are 4 categories you need to assess and give a risk rating
- Nature and extent of PI
- Unauthorized persons acquiring PI
- Risk whether PI was accessed or acquired
- Impact on risk of compromise mitigation steps
- Sum your risk ratings
- Consider other possible factors that could impact your risk rating.
Determine whether the unauthorized acquisition, access, use, or disclosure of PI compromised the security or privacy of Personal Health information (PHI)
- Based on the above factors determine if there is a low probability of compromise of PI. That is, it is not reasonable to believe that PI was comprised and it is not reasonably likely to subject individuals to risk of harm—then not a breach under RCW 42.56.590. End process and conduct debriefing.
- If there is more than a low probability of compromise of Personal information then a breach has occurred. Proceed with notification steps required by RCW 42.56.590.