Responding to a Third-Party Data Breach: Practical Legal and Compliance Steps

Cyberattacks and data incidents are rapidly increasing, and third-party services companies are a frequent source of exposure for healthcare providers. Healthcare is a prime target for cybercriminals, with ransomware and hacking the primary cyber-threats in healthcare according to the U.S. Department of Health and Human Services Office for Civil Rights (“OCR”).

Compounding the risk are the interrelationships across vendors and subcontractors involved in the critical infrastructure necessary to support delivery of and payment for healthcare services. As is becoming ever more evident, a notification of a vendor cyber incident must be treated as an expected reality. The unfolding Change Healthcare cyber incident is an illustrative example on an international scale, affecting organizations of all sizes.

Key action items healthcare organizations should consider upon becoming aware of such an incident include:

1. Assemble the Team

Reach out to the short list of initial responders. Gather the team and share information as appropriate and known within the early stages of the event.

A critical player in this stage is a trusted legal advisor with experience in data breach analysis. Not only will they be able to provide legal guidance from the initial phases of the investigation, but there will also be greater potential to afford the attorney-client privilege to initial conversations and processes, which may ultimately help protect the organization in the event of lawsuits or government investigations following the cyber event.

Other key resources to engage early include a sophisticated healthcare data breach forensics consultant and public relations and crisis communications teams.

2. Understand the Incident — As Much as Possible

In the early stages of an incident, it can be challenging to understand what has occurred — or is still occurring. In the intensity of the early stages, organizations may feel extreme pressure to act and respond. However, it is critical to understand the incident as much as possible before reacting. Before taking any course of action, ensure that the key stakeholders have as much understanding as possible of what is actually known versus what is likely or speculative.

Questions to consider include:

  • What has happened?
  • What vendor was affected?
  • What part of the organization is affected?
  • What is known?
  • What is unknown?
  • What are the risks?

Undoubtedly, organizations will be forced to move forward with incomplete information. But focusing on corralling facts can help an organization navigate through the uncertainties attendant to a cyber incident.

3. Implement Incident Response and Disaster Recovery Plans

Put the organization’s incident response and disaster recovery plans into motion. Focus on key systems, functionalities, and needs, including integrity and availability of data needed to support those activities.

4. Analyze and Report

In close parallel with the processes above, organizations should crosswalk the impacts of the event with applicable legal requirements. Reporting and other notice obligations can attach to a variety of incidents and can require reports on a tight timeframe. Frequently, traditional healthcare providers and their vendors are subject to the Health Insurance Portability and Accountability Act (“HIPAA”) requirements. However, those stand as a floor, not a ceiling, and companies operating in the healthcare industry must understand a growing and increasingly complex web of legal and regulatory requirements, from the Federal Trade Commission, Food and Drug Administration, Department of Justice, Securities and Exchange Commission, states, and international governing bodies.

This is also an opportunity to consider whether additional support may be needed in preparing notifications — whether from a legal analysis perspective, operational support for large communications campaigns, or setting up a call center or other outreach.

5. Contract Analysis and Indemnification

As organizations pivot from the initial operational response to a cyber incident, they should work to understand the relevant agreements. Concepts to review and consider include requirements for notice to counterparties, termination provision thresholds and timelines, any requirements for preserving rights or engaging protections under the agreement, analyzing indemnification provisions and processes, and generally becoming poised for potential contract dispute processes.

6. Apply Lessons Learned

As threats evolve or become apparent, healthcare organizations must apply what they learn when evaluating their own internal processes and preparedness. When a vendor experiences a cyber incident, that not only merits a direct response to the notification and issue at hand, but also a broader analysis of the organization’s own position. Could the vendor incident have affected the company in ways not yet apparent? Should the company conduct its own round of heightened internal review and monitoring? Should the incident be used to layer in additional review and revisiting of the existing risk analysis and response plans? The answer to all is: yes.


As evidenced by the recent Change Healthcare cyber incident, cyber incidents affect organizations of all sizes, and no organization is immune — whether from direct threats or threats through vendors and third-parties. Although the adage may be trite, the healthcare industry cannot afford to ignore that the question of a cyber incident truly is “not if, but when” (if not already). Preparation and response are dynamic processes that should form a critical part of an organization’s ongoing operational and compliance endeavors. For more information, please contact AGG Privacy & Cybersecurity co-chair Jackie Cooney or AGG Healthcare partner Madison Pool.