July 15, 2025
There's a saying in cybersecurity: It's
not if a breach happens—it's when. And when it does, having a
calm, straightforward process can protect more than your systems. It protects
your license, your staff, and your residents' trust.
A data breach in LTC can result in
resident records being accessed by unauthorized individuals, ransomware
freezing care plans, or billing information being stolen and sold. Under HIPAA
and Ohio law, you're required to respond promptly, notify the right parties,
and show that you had a plan in place.
A proper breach response plan includes:
- Detection and containment — Stop the spread of the breach and isolate compromised systems
- Notification and reporting — Notify the OCR, ODH, and affected residents within required timelines
- Investigation and documentation — Determine the cause, who was affected, and what was done
- Remediation and prevention — Update protocols, retrain staff, and strengthen defenses
One skilled nursing provider in Central
Ohio followed their IRP to the letter after an email hack. They identified the
breach within four hours, alerted the OCR, and offered credit monitoring to the
affected families. They were commended—not fined—due to their thorough documentation
and transparency.
"How
we respond in a crisis says more about us than the crisis itself." - Brené Brown
By contrast, another facility tried to
handle it quietly. They delayed reporting, underestimated the scope, and failed
to notify the families of two residents. When news broke, trust broke too.
Staff morale dropped, and a lawsuit followed.
"Sunlight
is the best disinfectant." - Louis Brandeis (as often quoted in compliance circles)
Your breach response plan isn't just
about IT—it's about leadership. When a breach happens, how you respond is what
people remember.
If your EMR was breached tonight, would
your team know who to call—and what to say?
