Privacy Daily is a service of Warren Communications News.
Subscriber Login
'Help Me Help You'

Privacy Experts Say Planning and Cooperation With Authorities Are Key When Data Breach Hits

March 26, 2025 by Kara Thompson|Top News

Preparation and understanding issues are key when responding to data breaches in the healthcare sector, said state privacy officials during a panel on federal and state enforcement of privacy and security violations at the National HIPAA Summit Wednesday.

Sign up for a free preview to unlock the rest of this article

Start My Free Preview

“These days, it seems the question of a breach is not if, but when,” said Adam Greene, co-chair of the Health Information and HIPAA practice at Davis Wright Tremaine. Accordingly, health entities should plan wisely for potential data breaches, he said.

Tyler Bridegan, director of privacy and tech enforcement in the Texas attorney general’s office, said in the healthcare sector, most enforcement comes from states. “Things that we are constantly looking at [include]…how many affected consumers there are, how many repeat breaches...a hospital system or healthcare company might have had, and how quickly notice is going [out], both to our office and to affected consumers,” he said. “Our view has been evolving over time, over what is ... a reasonable [reporting] delay versus what isn't -- especially when these are some of the nationwide breaches -- and how quickly companies are responding to them and what they're doing to mitigate.”

Aaron Zelinsky, assistant U.S. attorney in the Fraud and Public Corruption Section of the U.S. Attorney’s Office in the District of Maryland, said preparation in anticipation of a breach is indispensable. “You don't want to be building the plane while you're flying it,” he said. “You want to have a plane in advance. You want to have people that you've already spoken to, and you want to have gamed out your response, if at all possible.”

Beyond that, Zelinsky said, entities must adapt and pivot. Practice also is helpful. “No plan survives first contact with the enemy,” he said. But, "it's just easier if it's not the first time that you've interacted on these issues or thought about them when something happens. Because, inevitably, when a breach occurs, it's going to be an all-hands-on-deck scramble to try to figure out what to do.”

Communication is also important, and it flows both ways, Zelinsky said. “I've had occasions, when I was a prosecutor, where we would obtain information indicating" people "were currently being breached or that were being targeted,” and we proactively reached out, he said.

Regulators and enforcers can also help the mitigation process, he said. “If there's an ongoing breach, the most important thing is going to be to try to evict the people from your system, and so that's your number one priority when you're in those circumstances,” Zelinksy said. “It may be in the best interest at that point to contact" state, local and federal authorities once you understand what's happening.

Bridegan also said timeliness of breach notices is important for trust and transparency. “If you were the entity breached, but your customers reported [the breach] well before you did, that doesn't look particularly reasonable, at least on its face."

Zelinsky said ultimately, cooperation with authorities is key. “Help me help you,” he said.