Activity 3: Cyber Breach Activity (100 points)
This activity is comprised of two parts. (100 points) (A two-page response is required for the combination of Parts A and B.)
You work in a healthcare technology company that provides software technology to 100 hospitals throughout the United States. As a result, your software stores patient data for about 10 million patients across all of your customers. To better protect data, you're working on a project to deploy encryption technology across all locations so that all customer data is encrypted.
The data is segmented and stored in the following ways:
- Five million patient data records in Location A
- Two million patient data records in Location B
- Three million patient data records in Locations C
The encryption project is about 30 percent complete, with Location C being the first to achieve full encryption. Data in this location, even if breached, can't be viewed or understood by unauthorized individuals. Today, you learned that a breach happened on your network, and hackers were able to gain access to all three locations.
Part A: Discuss the purpose of patient breach notifications and whether patient breach notification is required in this case. If so, how many notifications need to go out, and within what timeframe should they be sent? (50 points)
Resources:
- Page 169 of your textbook
- US Department of Health and Human Services – Health Information Privacy
- US Department of Health and Human Services – Breach Notification
Part B: Select one of the latest breaches reported to HHS in the following link, and draft a breach notification letter to send to those affected. (50 points)
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
