1. Purpose & Scope
This Data Breach Response Plan establishes the procedures and responsibilities for detecting, responding to, and recovering from data breaches involving protected health information (PHI), personally identifiable information (PII), or other sensitive data processed by MayDay-IC. This plan applies to all employees, contractors, business associates, and third-party service providers who access, process, store, or transmit data on behalf of MayDay-IC and its parent company, Blue Beard Solutions Inc.
The objectives of this plan are to:
- Minimize the impact of data breaches on affected individuals
- Ensure compliance with all applicable federal, state, and international breach notification requirements
- Preserve evidence for potential law enforcement investigations
- Restore the integrity and security of affected systems
- Prevent recurrence through root cause analysis and remediation
2. Definition of a Data Breach
A data breach is the unauthorized access, acquisition, use, or disclosure of protected health information (PHI), personally identifiable information (PII), or other sensitive data that compromises the security, confidentiality, or integrity of such information. Under HIPAA, a breach is specifically defined as the acquisition, access, use, or disclosure of PHI in a manner not permitted under the Privacy Rule that compromises the security or privacy of the PHI (45 CFR 164.402).
Examples of data breaches include but are not limited to:
- Unauthorized access to patient records or incident data
- Theft or loss of devices containing unencrypted PHI or PII
- Ransomware or malware attacks that compromise data availability or integrity
- Unauthorized transmission of PHI to incorrect recipients
- Improper disposal of records containing sensitive information
- Insider threats or unauthorized employee access
- Phishing attacks resulting in credential compromise
- Third-party vendor security incidents affecting our data
3. Breach Response Team
The Breach Response Team is responsible for managing all aspects of incident response. The team consists of the following roles:
| Role | Responsibilities |
|---|---|
| Privacy Officer | Leads breach investigation, determines notification requirements, coordinates with affected individuals, maintains breach log, ensures HIPAA compliance |
| Security Officer | Leads technical investigation, coordinates containment and remediation efforts, preserves forensic evidence, implements security improvements |
| Legal Counsel | Advises on legal obligations, manages regulatory notifications, coordinates with law enforcement, oversees litigation risk assessment |
| Communications Lead | Drafts notification letters and public statements, manages media inquiries, coordinates internal communications, handles customer support escalations |
Additional team members may be activated as needed, including IT operations staff, human resources representatives, and external forensic investigators.
4. Incident Classification
All potential breaches are classified by severity level to ensure appropriate resource allocation and response urgency:
| Severity | Description | Examples | Response Time |
|---|---|---|---|
| Low | Minor incident with minimal risk of harm to individuals | Misdirected email to internal recipient, brief unauthorized viewing of a single record with no evidence of further disclosure | Assessment within 72 hours |
| Medium | Incident involving limited exposure of sensitive data with moderate risk | Lost encrypted device, unauthorized access to a small number of records, phishing attempt with limited credential exposure | Assessment within 24 hours |
| High | Significant exposure of sensitive data affecting multiple individuals | Unencrypted data exposure, ransomware affecting patient databases, unauthorized bulk data access | Immediate assessment and containment |
| Critical | Large-scale breach with potential for serious harm to many individuals | Complete database exfiltration, widespread ransomware attack, compromise of encryption keys, breach affecting 500+ individuals | Immediate all-hands response |
5. Response Timeline
The breach response process follows a structured timeline to ensure rapid and effective action:
Phase 1: Discovery
A potential breach may be discovered through automated monitoring systems, employee reports, third-party notifications, or customer complaints. All employees are required to report suspected breaches immediately to the Security Officer or Privacy Officer. The clock for notification requirements begins at the time the breach is discovered or reasonably should have been discovered.
Phase 2: Assessment (Within 24 Hours)
The Breach Response Team conducts an initial assessment to determine the nature and scope of the incident, identify the types of data involved, estimate the number of affected individuals, and classify the severity level. The team determines whether the incident constitutes a reportable breach under applicable laws.
Phase 3: Containment (Immediate)
Containment measures are implemented immediately upon confirmation of a breach. These may include isolating affected systems, revoking compromised credentials, blocking unauthorized access paths, preserving forensic evidence, and activating backup systems as necessary.
Phase 4: Notification
Notification timelines vary by applicable law:
- HIPAA: Individual notification within 60 days of discovery (45 CFR 164.404)
- GDPR: Supervisory authority notification within 72 hours (Article 33); data subject notification without undue delay (Article 34)
- State Laws: Timelines vary by state (see Section 8 below)
Phase 5: Remediation
Following containment, the team implements corrective actions to address the root cause of the breach, strengthen security controls, and prevent recurrence. This includes patching vulnerabilities, updating access controls, enhancing monitoring, and conducting additional employee training as warranted.
Phase 6: Post-Incident Review
Within 30 days of breach resolution, the team conducts a comprehensive post-incident review to evaluate the effectiveness of the response, identify lessons learned, update policies and procedures, and document findings for regulatory and compliance purposes.
6. HIPAA Breach Notification Requirements
As a platform handling protected health information, MayDay-IC complies with all HIPAA breach notification requirements:
Individual Notice (45 CFR 164.404)
Written notification must be provided to each affected individual within 60 days of discovering the breach. The notice must include a description of the breach, the types of information involved, steps individuals should take to protect themselves, what we are doing to investigate and mitigate the breach, and contact information for questions. If contact information is insufficient for 10 or more individuals, substitute notice must be provided through conspicuous posting on our website or major print media.
HHS Notification (45 CFR 164.408)
If a breach affects 500 or more individuals, we must notify the Secretary of Health and Human Services (HHS) contemporaneously with individual notice, without unreasonable delay and no later than 60 days from discovery. For breaches affecting fewer than 500 individuals, we maintain an annual log and submit it to HHS within 60 days of the end of the calendar year.
Media Notification (45 CFR 164.406)
If a breach affects 500 or more individuals in a single state or jurisdiction, we must provide notice to prominent media outlets serving that state or jurisdiction, without unreasonable delay and no later than 60 days from discovery.
Annual Breach Log
For breaches affecting fewer than 500 individuals, MayDay-IC maintains a detailed breach log documenting each incident, the number of individuals affected, and the actions taken. This log is submitted to HHS annually as required.
6a. 42 CFR Part 2 Breach Notification — Substance Use Disorder Records
A breach involving records protected by 42 CFR Part 2 (substance use disorder treatment records) carries heightened legal and ethical obligations beyond standard HIPAA requirements. Because these records reveal substance use disorder status — information that carries significant societal stigma and legal consequences — MayDay-IC treats any unauthorized disclosure of 42 CFR Part 2-protected records as a High or Critical severity breach regardless of the number of individuals affected.
Accelerated Notification Timeline
For breaches involving 42 CFR Part 2-protected records, MayDay-IC applies an accelerated notification standard:
- Affected Individual Notice: Within 24 hours of determining a breach has occurred (shorter than the standard 60-day HIPAA window), unless notice would impede a law enforcement investigation with a valid court order.
- SAMHSA Notification: The Substance Abuse and Mental Health Services Administration (SAMHSA) is notified as appropriate given the nature and scale of the breach.
- HHS Notification: Per standard HIPAA Breach Notification Rule requirements (45 CFR 164.408).
Additional Response Requirements
- All 42 CFR Part 2 breach notifications must include the mandatory re-disclosure prohibition statement.
- All audit logs and access records related to the breach are preserved and available for regulatory investigation.
- A root cause analysis and corrective action plan are completed within 30 days.
- Affected individuals are provided with specific guidance on the heightened risks associated with SUD record disclosure (e.g., impacts on employment, insurance, and criminal proceedings).
6b. FERPA Breach Notification — Educational Roster Records
FERPA (20 U.S.C. § 1232g; 34 CFR Part 99) does not contain a standalone breach notification requirement. However, unauthorized access to or disclosure of FERPA-protected education records triggers the following obligations:
- Immediate notification to the affected educational institution — the institution is the data owner and must be informed so it can fulfill its own obligations, including notifying parents and eligible students.
- State breach notification law compliance — most state breach notification statutes cover personally identifiable information that includes student records. MayDay-IC complies with applicable state laws (see Section 8).
- U.S. Department of Education notification — if required by contract, grant terms, or applicable law, we will notify the Department's Student Privacy Policy Office (SPPO).
- Documentation — all FERPA breach incidents are documented for a minimum of 6 years.
6c. PREA Breach Notification — Correctional Facility Records
A breach involving inmate census data or information subject to PREA confidentiality requirements (28 CFR Part 115) requires the following response steps in addition to standard breach procedures:
- Immediate notification to the affected correctional facility — the facility's PREA Coordinator must be informed within 24 hours.
- Detailed breach report for PREA compliance documentation — provided to the facility within 5 business days, documenting what records were involved, who had access, and corrective actions taken.
- DOJ notification — if the breach may implicate the Department of Justice's PREA oversight functions or the National PREA Resource Center, we will notify the appropriate authority.
- Full cooperation with any investigation by the Department of Justice, Bureau of Justice Assistance, or the facility's own investigators.
MayDay-IC treats any unauthorized disclosure of PREA-sensitive information (inmate vulnerability status, sexual abuse allegations, special housing assignments) as a Critical severity breach.
7. GDPR Breach Notification
For data subjects in the European Economic Area, United Kingdom, or Switzerland, MayDay-IC complies with GDPR breach notification requirements:
Supervisory Authority Notification (Article 33)
We will notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification will include the nature of the breach, categories and approximate number of data subjects affected, the likely consequences, and measures taken or proposed to address the breach.
Data Subject Notification (Article 34)
When a breach is likely to result in a high risk to the rights and freedoms of individuals, we will communicate the breach to affected data subjects without undue delay. The communication will describe the nature of the breach in clear and plain language and provide recommendations for mitigating potential adverse effects.
8. State Breach Notification Laws
MayDay-IC complies with breach notification laws in all U.S. states and territories. Key state-specific requirements include:
| State | Key Requirements |
|---|---|
| California | Attorney General notification required when breach affects 500+ California residents. Notice must be provided in the most expedient time possible and without unreasonable delay. Data elements triggering notification include name plus SSN, driver's license, financial account, medical information, health insurance information, or unique biometric data. |
| New York | SHIELD Act (Stop Hacks and Improve Electronic Data Security Act) requires notification to affected individuals, the Attorney General, the Department of State, and the Division of State Police. Expanded definition of private information includes biometric data and account credentials. |
| Florida | Notice must be provided within 30 days of determination of the breach. Notification to the Florida Department of Legal Affairs is required if breach affects 500+ individuals. Includes provisions for harm analysis. |
| Texas | Notice must be provided within 60 days of determining a breach has occurred. Attorney General notification required if breach affects 250+ Texas residents. The Texas Identity Theft Enforcement and Protection Act governs requirements. |
Each state's notification requirements are evaluated individually for every breach to ensure full compliance. MayDay-IC maintains a comprehensive reference of all state breach notification statutes and updates them as new laws are enacted or existing laws are amended.
9. Risk Assessment Factors
Under HIPAA, we apply the four-factor risk assessment test to determine whether a breach is reportable (45 CFR 164.402(2)):
The Four-Factor HIPAA Risk Assessment
- Nature and Extent of PHI: What types of identifiers and information were involved? Does the information include clinical data, financial information, Social Security numbers, or other highly sensitive elements?
- Unauthorized Person: Who gained unauthorized access? Was it an employee, an external actor, or a known third party? What is the likelihood that the person can use or further disclose the information?
- Whether PHI Was Actually Acquired or Viewed: Was the information actually accessed, viewed, downloaded, or exfiltrated? Or was there only the opportunity for access without evidence of actual viewing?
- Extent of Mitigation: What steps have been taken to reduce the risk of harm? Were compromised records recovered? Was the unauthorized recipient required to destroy the information? Were assurances of non-disclosure obtained?
If, after completing this risk assessment, we determine that there is a low probability that the PHI has been compromised, the incident may not constitute a reportable breach. However, we document all such determinations and maintain them for six years as required by HIPAA.
10. Remediation & Prevention
Following any data breach, MayDay-IC implements comprehensive remediation measures to address vulnerabilities and prevent future incidents:
- Technical Remediation: Patching exploited vulnerabilities, updating firewall rules and intrusion detection systems, rotating compromised credentials and encryption keys, enhancing monitoring and alerting capabilities
- Policy Updates: Revising access control policies, strengthening password and authentication requirements, updating data handling procedures, enhancing vendor security requirements
- Training: Conducting targeted security awareness training, performing tabletop exercises based on the incident, reinforcing reporting procedures and responsibilities
- Infrastructure Improvements: Implementing additional encryption, enhancing network segmentation, deploying advanced threat detection tools, improving backup and recovery capabilities
- Third-Party Review: Engaging external security auditors for independent assessment when warranted, reviewing and updating business associate agreements
11. Record Keeping
MayDay-IC maintains comprehensive documentation of all breach investigations, risk assessments, notifications, and remediation actions for a minimum of six (6) years, as required by HIPAA (45 CFR 164.530(j)). Records include:
- Incident detection and reporting records
- Investigation findings and forensic analysis reports
- Risk assessment documentation and determinations
- Notification letters and proof of delivery
- Regulatory filings and correspondence
- Remediation plans and implementation records
- Post-incident review reports and lessons learned
- Training records related to breach response
All records are maintained in a secure, access-controlled repository and are available for regulatory inspection upon request.
12. Contact
To report a suspected data breach or for questions about this Breach Response Plan, please contact us:
Email: info@maydayic.com
Blue Beard Solutions Inc.
Security & Privacy Team