Restoring lost patient trust after a cyberattack

Rick Pollack, President and CEO of the American Hospital Association (AHA), said in a statement responding to the Change Healthcare cyberattack, “The Change Healthcare cyberattack is the most significant and consequential incident of its kind against the US health care system in history.” This cyberattack led to the data of 110 million individuals being hacked. 

The breach of personal health information may have damaged patient trust since such data is highly sensitive and the unauthorized disclosure can result in consequences, including identity theft or invading privacy. Restoring trust in the aftermath of such incidents requires a multifaceted approach.

How to restore patient trust

• Transparent communication: Be honest and clear about what happened, how it happened, and what you are doing to address the breach. Provide regular updates to patients.
• Apologize sincerely: Acknowledge the breach and apologize for the inconvenience and potential harm caused. 
• Explain the impact: Detail what specific data was compromised and how it might affect patients. This helps patients understand the scope of the breach.
• Offer support: Provide resources and support to affected individuals, such as credit monitoring services, counseling, and assistance with identity theft.
• Enhance security measures: Demonstrate a commitment to improving security by implementing stronger safeguards, conducting regular security audits, and investing in cybersecurity training for staff.
• Engage with patients: Create channels for patients to ask questions and express their concerns. Engaging directly with patients can help rebuild relationships.
• Implement lessons learned: Show that you are learning from the incident by making improvements and sharing those changes with patients to build confidence in your ability to protect their information.
• Seek third-party validation: Consider getting an external cybersecurity assessment or certification to validate your security improvements and enhance credibility.
• Maintain ongoing communication: Keep patients informed about ongoing security efforts and improvements to show that you are committed to protecting their information long-term.
• Review and refine policies: Regularly review and update your data protection policies and response plans to ensure they are robust and effective.

See also: HIPAA Compliant Email: The Definitive Guide

FAQs

What should be the first step after a data breach?

The first step is to assess the situation and contain the breach. Immediately inform key stakeholders, including your IT team and legal advisors. Once containment is underway, notify affected patients transparently and begin working on remediation and support measures.

Learn more: How to respond to a data breach

What support should be offered to affected patients?

Offer support such as free credit monitoring, identity theft protection services, and counseling. Provide clear instructions on how patients can access these services and any additional resources available to help them manage the impact of the breach.