.st0{fill:#FFFFFF;}

Podcast

Successful Data Breach Communication – Ep 421 

 August 25, 2023

By  Donna Grindle

Share0
Tweet0
Share0

In a crisis situation, organizations must be prepared to communicate effectively in these challenging situations. Karen Phillips, of Phillips & Marek, joins us to discuss strategies and best practices for managing data breaches and how to communicate with stakeholders, including internal staff, patients and the media.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

Successful Data Breach Communication – Ep 421

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

Thanks to our donors.

Successful Data Breach Communication

[00:27] Karen Phillips joins David today to discuss a topic that most organizations don’t fully think through and have a plan for before a crisis hits – PR. Karen has been in marketing for over 30 years and is the Principle of Phillips & Marek. She has worked on the client and agency side of the business and assists in providing marketing solutions in the healthcare, medical science, technology and advocacy industries. Karen admits that “data breach PR is a whole new beast in itself.”

[05:00] In a crisis situation, it’s important for organizations to have a skilled PR person who can communicate effectively with the media and handle messaging. This person should be employed or hired by the attorney to ensure attorney-client privilege. The messaging needs to be carefully orchestrated, and all communication should be approved by the attorney. The message to employees should be transparent about the situation and what needs to be done, while keeping panic away from patients. A video with the CEO can be helpful to deliver a consistent message to all employees k=along with a companion flyer posted for reference.

The 3 key messages to stress throughout the organization are:

  1. The organization needs to speak with one voice.
  2. Everyone should lead with compassion.
  3. Triage questions out of the clinic.

You should always assume that whatever you put out there, it will get out. People talk. People post things, good or bad, on social media. So, it’s important to make sure your message is consistent and aims to avoid speculation.

[15:54] Here is Karen’s checklist of Successful Data Breach Communication Begins Before the Incident:

  1. Select a spokesperson for the organization. Employees should not speak on behalf of the organization during a data breach. Only designated and trained individuals, such as the CEO or HIPAA compliance officer, should handle communication. Credibility and authority are important, and preparation is necessary for quick and effective response.
  2. Draft your message. Have at least 3 key messages – What’s happened? When and how was the incident discovered? What’s the organization doing in response? You wanna be transparent, but not give more information than anybody needs. Usually, the details are coming out slowly anyway, So, you may not have all the answers yet. Don’t put anything out there that you don’t want to stick.
  3. [23:12] Train your spokespeople. Practice your messaging with those who will be delivering it. Include PR and communication of messages in your tabletop exercises. Make sure your spokespeople can handle questions in the heat of the moment and they aren’t saying things for the first time.
  4. Develop a rapid, internal communication plan. This includes how you tell employees and vendors what happened before it hits the media or before patients start talking about it and asking questions. This is different in every organization but something that should be developed beforehand and not when the crisis hits.
  5. Determine how to notify the people who are affected. Effective communication is important during a data breach. There needs to be systems in place to know patients’ preferred method of communication as well as how to handle questions and concerns from affected individuals. Understanding what services the organization is offering individuals who are affected is also important.
  6. [33:35] Know how to work with an outsourced call center. Give the call center your script and let your PR person be a part of this process. It’s important to QC the call center staff to ensure your message is being delivered and questions are being fielded appropriately. Use “mystery callers” to test the call center staff. Make sure there is a call log and that calls are recorded so you can QC calls that way as well.
  7. Establish an internal escalation line. Not everyone is going to want to talk to an outsourced call center. Sometimes questions from callers are not something patient facing people or the call center have answers to. People on the escalation line are the ones with the most up to date information.
  8. Have a process for notifying the media. During a crisis, the goal is to meet your requirements where notifying the media is concerned, but also trying to stay out of the news. The size of an organization determines media interest usually, notification to media outlets may be obligated, but you don’t have to put it on the newswire. If it does hit the news, make sure the right people are answering media questions and they practiced in the message.
[40:20] Many times a data breach requires you to put a notice on your website, which goes down the path of social media. Be cautious of social media’s impact on information and employee response. Phone calls are no longer the only mode of communication. Messages now come through social media platforms like Facebook, Twitter (or X), and LinkedIn. Managing all these channels can be overwhelming. Having a plan in place beforehand will put you ahead of the game.

You can contact Karen and the team at Phillips & Marek via their website. You can also download a copy of the PDF checklist of their tips for successful data breach communication from the Downloads page or by clicking here.

Go to top

Effective communication during a data breach is crucial for minimizing damage and maintaining trust. It also demonstrates the organization’s commitment to addressing the issue responsibly, which can help reduce confusion and panic. In essence, communication during a data breach is not only a strategic necessity but also an ethical obligation that can safeguard both individuals’ interests and the organization’s reputation.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: