How to Report Phishing in Healthcare: A HIPAA-Compliant Step-by-Step Guide

Phishing remains one of the fastest ways attackers reach electronic systems that hold Protected Health Information (PHI). When it happens, you must act quickly, methodically, and in line with HIPAA breach notification requirements. This step-by-step guide shows you how to contain the incident, notify the right parties, and document every action with confidence.

Follow the sections below in order. They map to what regulators expect and help you reduce risk to patients, operations, and compliance standing.

Assess the Incident

Contain and preserve evidence

• Isolate affected inboxes and devices, disable compromised accounts, revoke tokens, and force credential resets with multi-factor authentication.
• Preserve the phishing email, headers, attachments, and relevant system and audit logs. Do not alter artifacts; maintain a clear chain of custody.
• Notify your security/privacy officer and incident response team immediately; loop in legal counsel and compliance early.

Determine whether PHI was involved

• Identify systems, mailboxes, or apps the attacker could access and whether any PHI or ePHI was viewed, acquired, or exfiltrated.
• Catalog the data elements potentially exposed (for example, names, medical record numbers, diagnoses, images, insurance IDs, Social Security numbers).

Apply HIPAA’s four-factor risk assessment

Decide whether the incident is a reportable breach by evaluating:

• The nature and extent of PHI involved (sensitivity, identifiability).
• The unauthorized person who used or received the PHI.
• Whether the PHI was actually acquired or viewed.
• The extent to which the risk has been mitigated (for example, confirmation that the email was not opened, binding deletion assurances).

Document the analysis and conclusion. Consider exceptions (for example, unintentional good-faith access by an authorized workforce member) and whether PHI was “secured” (for example, properly encrypted) before exposure.

If you are a business associate

Notify the covered entity without unreasonable delay (no later than 60 calendar days after discovery) and provide all details needed for their HIPAA breach notification duties.

Notify Affected Individuals

Timing and method

• Send written notice to each affected individual without unreasonable delay and no later than 60 calendar days from discovery of the breach.
• Use first-class mail or email if the person has agreed to electronic notice. If contact information is insufficient for 10 or more individuals, provide substitute notice (for example, a conspicuous website posting or media notice) with a 90-day toll-free call center.

Content of the notice

Your letter should clearly state:

• What happened, including the breach and discovery dates, if known.
• What types of PHI were involved.
• What steps individuals should take to protect themselves (for example, credit monitoring, password changes, fraud alerts).
• What you are doing to investigate, mitigate harm, and prevent a recurrence.
• How to reach you for questions (phone, email, postal address).

If a breach affects 500 or more residents of a state or jurisdiction, also notify prominent media outlets serving that area within 60 days. Review any applicable state breach-notification laws that may add content or timing requirements.

Report to the Secretary of HHS

When and how to report

• 500 or more individuals: Report to the Secretary of Health and Human Services without unreasonable delay and no later than 60 calendar days after discovery via the HHS breach reporting portal. The Office for Civil Rights (OCR) processes these submissions.
• Fewer than 500 individuals: Maintain a log and submit the incident to HHS within 60 days of the end of the calendar year in which the breach was discovered, using the same HHS breach reporting portal.

Information to include

• Covered entity (and business associate, if applicable) details and contacts.
• Number of individuals affected and the incident’s location(s) and dates.
• Types of PHI involved and a brief description of what happened.
• Mitigation steps taken and whether law enforcement requested a delay.

Submit promptly with the best available information, then update the report as your investigation refines the facts. Keep a copy of all entries and confirmations.

Report to the Office of Inspector General

If phishing appears linked to fraud, waste, or abuse (for example, false Medicare/Medicaid billing, kickbacks, identity theft, or misdirection of funds), escalate to your compliance team and make a separate report through the Office of Inspector General hotline. This is distinct from HIPAA breach notification and supports healthcare fraud reporting obligations.

• Use the Office of Inspector General hotline (1-800-HHS-TIPS or 1-800-447-8477; TTY 1-800-377-4950) or the OIG online intake.
• Provide specifics: who is involved, what occurred, dates, amounts, systems touched, and any preserved evidence.

Document the Incident

Records to maintain (retain for at least six years)

• Incident timeline, indicators of compromise, preserved artifacts, and audit logs.
• The HIPAA four-factor risk assessment and your breach/non-breach rationale.
• Copies of all individual notices, media notices (if any), and HHS submissions and receipts.
• Communications with business associates, law enforcement, OCR, and OIG.
• Post-incident actions: sanctions (if applicable), mitigation steps, and remediation plans.

Strengthen defenses after phishing

• Harden email: implement SPF, DKIM, and DMARC; block auto-forwarding; tighten attachment and link policies.
• Improve access controls: enforce MFA, least privilege, conditional access, and timely deprovisioning.
• Enhance monitoring: EDR, SIEM use cases for mailbox access, impossible travel, and bulk downloads.
• Train and test: targeted phishing simulations, just-in-time education, and role-based security training.

By containing fast, assessing PHI exposure, completing HIPAA breach notification, reporting through the HHS breach reporting portal when required, and documenting thoroughly, you protect patients and your organization while meeting regulatory expectations.

FAQs

What steps must I take after a phishing incident in healthcare?

Immediately contain the threat (isolate accounts/devices and reset credentials), preserve evidence, and launch an investigation. Evaluate PHI exposure with HIPAA’s four-factor test to decide if the incident is a reportable breach. If reportable, send timely individual notices, file the HHS report on the required timeline, consider an OIG report if fraud is suspected, and document every action and decision.

How do I notify individuals affected by a PHI breach?

Provide written notice without unreasonable delay and no later than 60 days from discovery. Use first-class mail or opted-in email and include what happened, the PHI involved, steps they should take, what you are doing to mitigate and prevent recurrence, and contact information. If many people cannot be reached, use substitute notice and maintain a 90-day call center.

When should breaches be reported to HHS?

For 500 or more affected individuals, report to the Secretary of HHS via the HHS breach reporting portal within 60 calendar days of discovery. For fewer than 500 individuals, keep a log and submit it within 60 days after the end of the calendar year in which the breach was discovered.

How can healthcare fraud related to phishing be reported?

Escalate internally to compliance and report externally through the Office of Inspector General hotline (1-800-HHS-TIPS / 1-800-447-8477; TTY 1-800-377-4950) or the OIG online intake. Include who is involved, what occurred, dates, amounts, systems affected, and any supporting evidence.