Incident Response
PHI breach detection, containment, and notification procedures
Incident Response
This document covers what to do if Protected Health Information (PHI) is sent to an ad platform or otherwise exposed outside the intended scope.
Severity levels
| Level | Description | Response Time |
|---|---|---|
| P1 — Confirmed breach | PHI confirmed sent to Meta/Google | Within 1 hour |
| P2 — Suspected breach | Possible PHI exposure, not confirmed | Within 4 hours |
| P3 — Policy violation | Healthcare account misconfigured, no confirmed PHI sent | Within 24 hours |
Immediate containment (P1/P2)
Stop all exports (within 15 minutes)
Disable exports for the affected profile:
- Go to Settings > Integrations and disconnect Meta/Google destinations, OR
- Go to Conversion Sync > Destinations and disable all destination configs, OR
- Set
export_meta_enabled = falseandexport_google_enabled = falsein profile_attribution_settings
If not already active, switch privacy mode to HIPAA.
Assess scope (within 1 hour)
Query the conversion_exports ledger to determine:
- How many events were sent during the exposure window
- What data was in the payloads (check
privacy_mode_snapshot.mode— if"standard", payloads may contain unfiltered PII) - How many individuals were affected
- Which PHI categories were involved (names, emails, health conditions, appointment types)
Check payload_redacted — if it contains full data (not {redacted: true, hipaa_mode: true}), PHI may be in the audit log.
Document findings
Record:
- Timeline: when misconfiguration started, when detected, when contained
- Affected profiles and workspaces
- Number of events sent with PHI
- Categories of PHI exposed
- Destinations that received the data
- Whether the data can be deleted from the destination
HIPAA breach notification rules
Under the HIPAA Breach Notification Rule (45 CFR 164.400-414):
500+ individuals affected
| Notify | Deadline |
|---|---|
| HHS (Department of Health and Human Services) | Within 60 days of discovery |
| State attorney general (affected states) | Within 60 days |
| Affected individuals | Within 60 days, by mail or email |
Fewer than 500 individuals
| Notify | Deadline |
|---|---|
| HHS | Annual log submission by March 1 of the following year |
| Affected individuals | Within 60 days |
Atribu's obligations as Business Associate
Under the BAA (Annex F, Section F-6), Atribu must:
- Report the breach to the Customer (Covered Entity) without unreasonable delay
- Provide: nature of incident, categories of affected data, likely consequences, mitigation steps
- The Customer is responsible for downstream notifications to HHS and individuals
Atribu reports to the customer, not to HHS directly
As a Business Associate, Atribu's notification obligation is to the Covered Entity (your customer). The customer then determines whether to notify HHS, state authorities, and affected individuals.
Post-incident review
After containment and notification:
- Root cause analysis — Why was the profile in standard mode? Was Healthcare Mode disabled accidentally? Did the onboarding flow miss the healthcare use case?
- Preventive measures — Should the workspace be in Healthcare Agency Mode? Are there other profiles that need migration?
- System improvements — Update detection logic, review allowlist defaults, consider additional safeguards
- Documentation — Record the incident in audit_log_events, update legal compliance notes, file per company policy