Challenge
Faced with two separate and wide-ranging data breaches affecting more than a million patients, a health system needed our support as they navigated the complex corrective actions each crisis required. The tangle of problems stemmed from malicious phishing attacks that infiltrated the client’s email system, which not only exposed private health information but also threatened team member direct deposits.
With the clock ticking on mandated reporting to affected parties as well as notification to the media and government entities, the client needed trusted partner to help guide them through the recovery process. Complicating factors included vast numbers of people spread over several markets scattered across the country, a convoluted timeline of how the breaches occurred, and rapidly evolving situations.
Strategy and Tactics
Lovell worked collaboratively with the client’s inside and external legal counsel and a forensics team to process the complex and overwhelming data surrounding the security breaches. We collaboratively developed the narrative to help explain what occurred and what the health system was doing to address the issues and protect their patients and employees.
We developed a multi-phased plan to communicate with stakeholders during each step of the notification and recovery process, including a highly detailed analysis of markets requiring media notification. The plan helped identify key stakeholders, offered nuanced guidance for effectively communicating with each, and outlined both the necessary and suggested strategies and actions.
Execution and Results
Thanks to a high level of collaboration between Lovell, the client and their legal counsel, the health system was able to adapt responses to their constantly evolving situation. By providing robust detail during the second phase of the security breach, subsequent media coverage was balanced and contained, and the client was able to engender confidence from the affected parties.