HIPAA BREACH NOTIFICATION — MEDIA

Organization Name: [________________________________]
Breach Reference Number: [________________________________]
Document Version: [____]
Prepared By: [________________________________]
Date Prepared: [__/__/____]
Legal Review Completed: ☐ Yes — Date: [__/__/____] ☐ Pending
Privacy Officer Approval: ☐ Yes — Date: [__/__/____] ☐ Pending

SECTION 1: MEDIA NOTIFICATION REQUIREMENTS

1.1 When Media Notification Is Required

Under 45 C.F.R. § 164.406, a covered entity that discovers a breach of unsecured PHI affecting more than 500 residents of a state or jurisdiction must provide notice to prominent media outlets serving that state or jurisdiction. This notice must be provided:

• Without unreasonable delay
• No later than 60 calendar days from the date the breach was discovered

1.2 Determination Worksheet

1.3 Required Content Elements

Per 45 C.F.R. § 164.404(c), the media notification must include the same five content elements required for individual notification:

1. ☐ A brief description of what happened, including the date of the breach and the date of discovery
2. ☐ A description of the types of unsecured PHI involved
3. ☐ Steps individuals should take to protect themselves from potential harm
4. ☐ A brief description of what the organization is doing to investigate, mitigate harm, and prevent further breaches
5. ☐ Contact procedures, including a toll-free telephone number, email address, postal address, or website

SECTION 2: PRESS RELEASE TEMPLATE

2.1 Standard Press Release

[ORGANIZATION LETTERHEAD / LOGO]

FOR IMMEDIATE RELEASE

Date: [__/__/____]

MEDIA CONTACT:
Name: [________________________________]
Title: [________________________________]
Phone: [________________________________] (Toll-Free)
Email: [________________________________]
Website: [________________________________]

NOTICE OF DATA BREACH INVOLVING PROTECTED HEALTH INFORMATION

[City, State] — [Organization Name] ("Organization") is providing this notice to inform the public of a data breach involving protected health information ("PHI") that may affect certain current and former patients [and/or health plan members / employees, as applicable].

What Happened

On or about [Date of Breach or Date Range], [Organization Name] [discovered / was notified of] a [security incident / unauthorized access / cyberattack / theft / loss] involving [brief, plain-language description of what happened]. [Organization Name] discovered the incident on [Date of Discovery] and immediately [took steps to contain the incident / launched an investigation / engaged a cybersecurity firm to assist with the investigation].

[If applicable: The investigation determined that an unauthorized [individual / party / parties] [gained access to / acquired / may have accessed] certain files and systems containing patient health information between [Start Date] and [End Date].]

What Information Was Involved

The types of information that may have been involved include:

[Check all that apply and include only those that are relevant to the specific breach:]

☐ Full name
☐ Date of birth
☐ Mailing address
☐ Email address
☐ Telephone number
☐ Social Security number
☐ Driver's license or state identification number
☐ Medical record number
☐ Patient account number
☐ Health insurance member ID or group number
☐ Diagnosis or condition information
☐ Treatment or procedure information
☐ Medication information
☐ Lab results or test results
☐ Provider name and clinical notes
☐ Dates of service
☐ Financial account or payment card information
☐ Medicare or Medicaid beneficiary number
☐ Other: [________________________________]

Not all of these data elements were necessarily involved for every affected individual.

What Individuals Can Do

[Organization Name] recommends that affected individuals take the following steps to protect themselves:

• Review Explanation of Benefits (EOB) statements from your health insurance provider for any services you did not receive. Report any discrepancies to your insurer immediately.
• Review bank and credit card statements for any unauthorized charges or activity.
• Request a copy of your medical records from your healthcare providers to verify that the information is accurate.
• Place a fraud alert on your credit file by contacting any one of the three major credit bureaus:
• Equifax: 1-800-525-6285 / www.equifax.com
• Experian: 1-888-397-3742 / www.experian.com
• TransUnion: 1-800-680-7289 / www.transunion.com
• Place a security freeze (credit freeze) on your credit file to prevent new accounts from being opened in your name. Security freezes are free under federal law.
• Obtain a free credit report from each bureau annually at www.annualcreditreport.com or by calling 1-877-322-8228.
• Report suspected identity theft to the Federal Trade Commission at www.IdentityTheft.gov or 1-877-438-4338.
• File a police report if you believe you are a victim of identity theft.

[If credit monitoring is being offered:]

[Organization Name] is offering [duration, e.g., 12 months / 24 months] of complimentary [credit monitoring / identity theft protection] services through [Vendor Name]. Affected individuals may enroll by [visiting [Enrollment Website] / calling [Enrollment Phone Number]] and using activation code [Code]. The deadline to enroll is [Enrollment Deadline].

What We Are Doing

[Organization Name] takes the privacy and security of patient information seriously. Upon learning of this incident, we immediately took the following steps:

☐ Launched a comprehensive investigation with the assistance of [outside cybersecurity experts / forensic investigators]
☐ Contained the incident and secured the affected [systems / records / devices]
☐ Notified the U.S. Department of Health and Human Services as required by federal law
☐ Notified law enforcement [and are cooperating with their investigation]
☐ Implemented additional [security measures / access controls / encryption / monitoring]
☐ Provided additional privacy and security training to workforce members
☐ Reviewed and strengthened our [policies and procedures / vendor management practices]
☐ Are offering complimentary credit monitoring and/or identity theft protection services to affected individuals

[Organization Name] is committed to protecting the privacy and security of the information entrusted to us and deeply regrets any concern or inconvenience this incident may cause.

Contact Information

Individuals who believe they may be affected or who have questions are encouraged to contact:

[Organization Name] — Breach Response Center
Toll-Free Phone: [________________________________]
Email: [________________________________]
Mailing Address: [________________________________]
Website: [________________________________]
Hours of Operation: [________________________________]

Reference Number: [________________________________]

This notice is being provided in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule.

###

[End of Press Release]

SECTION 3: HOLDING STATEMENT TEMPLATE

Use this holding statement when media inquiries are received before the full investigation is complete and the formal press release is ready.

"[Organization Name] is aware of a [security incident / data privacy incident] that may have affected certain [patient / member] information. We are conducting a thorough investigation with the assistance of [outside cybersecurity experts] and are working diligently to determine the scope and nature of the incident. We are committed to the privacy and security of the information entrusted to us and will provide additional information as it becomes available. We will notify affected individuals in accordance with applicable law."

"Questions may be directed to [Spokesperson Name] at [Phone] or [Email]."

Holding Statement Approval:
☐ Legal counsel reviewed: Date [__/__/____]
☐ Privacy Officer reviewed: Date [__/__/____]
☐ Executive leadership approved: Date [__/__/____]

SECTION 4: SPOKESPERSON TALKING POINTS

4.1 Designated Spokesperson(s)

Important: Only the designated spokesperson(s) are authorized to speak with the media. All other workforce members must direct media inquiries to the spokesperson.

4.2 Key Messages

1. "[Organization Name] takes the privacy and security of patient information extremely seriously."

2. "We discovered this incident on [Date] and took immediate action to [contain the incident / launch an investigation / engage cybersecurity experts]."

3. "We have notified the U.S. Department of Health and Human Services, [law enforcement], and [affected individuals / are in the process of notifying affected individuals] in accordance with federal and state law."

4. "We are [offering complimentary credit monitoring and identity protection services / providing resources] to help affected individuals protect themselves."

5. "We have implemented additional security measures to help prevent a similar incident in the future."

6. "We are cooperating fully with [law enforcement / regulatory authorities] in their investigation."

4.3 Bridging Statements

Use these statements to redirect questions to approved talking points:

• "What I can tell you is..."
• "The most important thing for affected individuals to know is..."
• "Our priority is..."
• "We are focused on..."
• "I would refer you to our press release for the details of..."

4.4 Questions to Decline

The spokesperson should decline to answer or defer the following:

• Specific technical details of the attack vector or vulnerability (may aid other attackers)
• Whether ransom was paid (if ransomware was involved)
• Identity of the threat actor or attacker
• Specific patient names or individual details
• Pending litigation or potential legal claims
• Dollar amount of damages or losses
• Details of ongoing law enforcement investigation

Suggested Response: "I'm not able to discuss that at this time [due to the ongoing investigation / for security reasons / to protect the privacy of affected individuals]."

SECTION 5: MEDIA Q&A PREPARATION

Q1: "How many people were affected?"

"Approximately [number] individuals may have been affected. We are continuing to investigate and will update this number if necessary."

Q2: "What type of information was compromised?"

"Based on our investigation, the types of information that may have been involved include [list from press release]. Not all data elements were necessarily involved for every individual."

Q3: "When did the breach occur and when did you find out?"

"The incident occurred on or about [Breach Date/Range]. We discovered it on [Discovery Date] and immediately began our investigation and response."

Q4: "Why did it take so long to notify people?"

"After discovering the incident, we needed to conduct a thorough investigation to identify exactly what information was involved and who was affected. Under federal law, we are required to provide notification within 60 days of discovery. We worked to notify affected individuals as quickly as possible while ensuring the accuracy of our notifications."

Q5: "Was this a ransomware attack?"

"[If yes:] We can confirm that our systems were affected by ransomware. We are working with cybersecurity experts and law enforcement to address the situation."
"[If no:] This incident did not involve ransomware."
"[If declining to answer:] I'm not able to discuss the specific nature of the attack at this time due to the ongoing investigation."

Q6: "Did you pay a ransom?"

"I'm not able to discuss that at this time."

Q7: "Are you offering credit monitoring?"

"Yes, we are providing [duration] of complimentary [credit monitoring / identity protection] services to affected individuals through [Vendor Name]. Information about enrollment is included in the notification letters."

Q8: "What are you doing to prevent this from happening again?"

"We have implemented additional security measures, including [describe in general terms]. We are committed to continuously strengthening our privacy and security practices."

Q9: "Has anyone's information been misused?"

"At this time, we [have no evidence of / are not aware of] any misuse of the information involved. We encourage affected individuals to remain vigilant and take advantage of the protective resources we are offering."

Q10: "Is there a lawsuit?"

"I am not able to comment on pending or potential litigation."

Q11: "Has HHS / OCR opened an investigation?"

"We have reported this incident to the U.S. Department of Health and Human Services as required by law. We are cooperating fully with all regulatory authorities."

Q12: "Who was responsible for the breach?"

"The investigation [is ongoing / has determined that the incident was caused by (general description)]. I am not able to provide additional details at this time."

SECTION 6: SOCIAL MEDIA COMMUNICATION GUIDANCE

6.1 Social Media Response Protocol

☐ Monitor social media platforms for mentions of the breach
☐ Do NOT engage in extended discussions about the breach on social media
☐ Respond to inquiries with a brief statement directing to the official press release and contact information

6.2 Sample Social Media Post

"[Organization Name] is providing notice of a data privacy incident. For details, visit [Website URL]. If you have questions, call [Toll-Free Number]. We take privacy seriously and are committed to protecting your information."

6.3 Social Media Guidelines

☐ All social media posts must be approved by legal counsel and the Communications team
☐ Do NOT respond to individual comments or questions on social media with breach-specific details
☐ Do NOT post any information beyond what is contained in the official press release
☐ Do NOT engage with critics, trolls, or threatening comments — escalate to legal counsel
☐ Monitor for misinformation and, if necessary, issue a factual correction approved by legal counsel

SECTION 7: WEBSITE POSTING REQUIREMENTS

7.1 Website Notice (Required for Substitute Notice)

Under 45 C.F.R. § 164.404(d)(2)(ii), when substitute notice is required (insufficient contact information for 10+ individuals), the covered entity must post a conspicuous notice on its website homepage for at least 90 days.

Even when substitute notice is not required, the Organization should consider posting a notice on its website for transparency and to supplement other notification methods.

7.2 Website Notice Template

IMPORTANT NOTICE REGARDING DATA PRIVACY INCIDENT

[Date Posted: [__/__/____]]

[Organization Name] is notifying individuals of a [security incident / data breach] that may have involved certain protected health information. We discovered the incident on [Date of Discovery] and have conducted a thorough investigation.

What Happened: [Brief description consistent with press release]

What Information Was Involved: [List of data types consistent with press release]

What You Can Do: [Summary of protective steps]

What We Are Doing: [Summary of response actions]

Contact Us: If you believe you may be affected or have questions, please contact us at:
- Phone: [Toll-Free Number]
- Email: [Email Address]
- Mail: [Mailing Address]
- Hours: [Hours of Operation]

[If credit monitoring offered:] We are providing [duration] of complimentary [credit monitoring / identity protection] services. To enroll, visit [URL] or call [Phone Number].

For more information, see our [full press release / detailed notice] [link].

Website Notice Requirements:

☐ Posted on homepage or conspicuous location: Date [__/__/____]
☐ Must remain posted for at least 90 days (if substitute notice): Removal date no earlier than [__/__/____]
☐ Include toll-free number that is active for at least 90 days
☐ Legal counsel reviewed: Date [__/__/____]

SECTION 8: MEDIA OUTLET IDENTIFICATION

8.1 Identifying Prominent Media Outlets

The Breach Notification Rule requires notice to "prominent media outlets serving the state or jurisdiction." While the rule does not define "prominent," the Organization should consider:

• Major daily newspapers (print and online)
• Major television stations (network affiliates)
• Major radio stations (news/talk format)
• Wire services (AP, Reuters) if the breach has national significance
• Online news outlets with significant state/regional readership

8.2 Media Distribution List

8.3 Distribution Method

☐ Press release distributed via wire service (e.g., PR Newswire, Business Wire)
☐ Press release emailed directly to media outlets
☐ Press release posted to Organization website and social media
☐ Press conference scheduled: Date [__/__/____], Location [________________________________]

SECTION 9: STATE-SPECIFIC MEDIA NOTIFICATION REQUIREMENTS

9.1 State Variations

While HIPAA establishes the baseline media notification requirement, some states have additional requirements:

California: Notice to the California AG is required (not to media separately) when 500+ California residents are affected. SB 446 (effective Jan. 1, 2026) requires a sample notification be submitted to the AG within 15 days of notifying individuals.

Texas: No separate media notification requirement beyond HIPAA. AG notification required for 250+ Texas residents affected.

Florida: The Florida Information Protection Act (FIPA) requires notification to the Florida Department of Legal Affairs (AG) within 30 days for breaches affecting 500+ Florida residents. No separate media notification requirement beyond HIPAA.

New York: Must notify the NY AG, Department of State, and Division of State Police. For HIPAA breaches, AG notification within 5 business days of HHS notification.

9.2 Coordination with Individual Notification Timeline

The media notification must be coordinated with individual notification to ensure consistency:

☐ Media notification issued on or before the date individual notifications are mailed
☐ Content of media notification is consistent with individual notification letters
☐ Toll-free number and website are operational before media release is issued
☐ Call center is staffed and trained before media release is issued
☐ FAQ document prepared and distributed to call center staff
☐ Spokesperson briefed and available for media inquiries

SECTION 10: FOLLOW-UP COMMUNICATION TEMPLATE

10.1 Follow-Up Press Release

Use this template if significant new information becomes available after the initial notification.

FOR IMMEDIATE RELEASE

Date: [__/__/____]

MEDIA CONTACT:
[Same contact information as original release]

UPDATE: [Organization Name] Provides Additional Information Regarding Data Privacy Incident

[City, State] — [Organization Name] is providing an update regarding the data privacy incident originally reported on [Date of Original Release].

Updated Information:

[Describe updated findings, additional affected individuals, additional types of information involved, or other material developments.]

What This Means for Affected Individuals:

[Describe any changes to recommended protective steps or additional services being offered.]

Continued Response:

[Describe additional steps the Organization has taken since the original notification.]

Contact Information:

[Same contact information as original release]

###

SECTION 11: CRISIS COMMUNICATION STRATEGY

11.1 Communication Timeline

11.2 Communication Principles

☐ Transparency: Provide accurate, complete information about what is known
☐ Timeliness: Communicate promptly, even if all details are not yet available
☐ Empathy: Acknowledge the impact on affected individuals
☐ Accountability: Accept responsibility and describe corrective actions
☐ Consistency: Ensure all communications (press release, website, call center, social media) convey the same information
☐ Legal Compliance: All communications reviewed by legal counsel

SECTION 12: LEGAL REVIEW CHECKLIST BEFORE MEDIA RELEASE

12.1 Pre-Release Review

The following items must be verified before any media communication is released:

☐ Press release contains all five required content elements under 45 C.F.R. § 164.404(c)
☐ No individual patients are identified or identifiable from the press release
☐ No attorney-client privileged or work-product information is disclosed
☐ No statements that could be construed as admissions of liability or negligence
☐ Description of breach is accurate and consistent with investigation findings
☐ Timeline information is accurate (dates of breach, discovery, notification)
☐ Protective steps recommended to individuals are accurate and current
☐ Credit monitoring / identity protection enrollment details are correct
☐ Contact information (toll-free number, email, website) is correct and operational
☐ Press release is consistent with individual notification letters
☐ State-specific requirements have been addressed
☐ Spokesperson talking points are consistent with press release
☐ Social media posts are consistent with press release
☐ Website notice is consistent with press release

12.2 Approval Signatures

Legal Counsel:
Name: [________________________________]
Signature: ______________________________
Date: [__/__/____]

Privacy Officer:
Name: [________________________________]
Signature: ______________________________
Date: [__/__/____]

Communications / PR:
Name: [________________________________]
Signature: ______________________________
Date: [__/__/____]

Executive Leadership:
Name: [________________________________]
Title: [________________________________]
Signature: ______________________________
Date: [__/__/____]

SECTION 13: CROSS-REFERENCE TO RELATED TEMPLATES

This Media Notification template works in conjunction with the following Organization documents:

• HIPAA Breach Response Plan — Comprehensive breach response procedures and notification timelines
• HIPAA Security Incident Response Plan — Technical incident detection and response
• HIPAA Breach Notification — HHS — HHS breach portal submission guide
• HIPAA Breach Notification Call Script — Individual notification call procedures and FAQ responses
• HIPAA Breach Risk Assessment Worksheet — Four-factor risk assessment documentation

SOURCES AND REFERENCES

1. 45 C.F.R. § 164.406 — Notification to Media (Breach Notification Rule)
2. 45 C.F.R. § 164.404(c) — Content of Individual Notification (Five Required Elements)
3. 45 C.F.R. § 164.404(d)(2) — Substitute Notice Requirements (Website Posting)
4. 45 C.F.R. §§ 164.400-414 — Breach Notification Rule (Complete)
5. HHS OCR — Breach Notification Rule Guidance (https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html)
6. Cal. Civ. Code § 1798.82 and SB 446 — California Breach Notification / AG Notification
7. Tex. Bus. & Com. Code § 521.053 — Texas Breach Notification / AG Notification
8. Fla. Stat. § 501.171 — Florida Information Protection Act
9. N.Y. Gen. Bus. Law § 899-aa — New York SHIELD Act (as amended)
10. FTC — IdentityTheft.gov (https://www.identitytheft.gov)

This template is provided for informational purposes only and does not constitute legal advice. All media communications regarding a breach should be reviewed and approved by qualified legal counsel before distribution. HIPAA compliance requirements are subject to change based on OCR guidance and regulatory updates.

For use on ezel.ai — a legal template platform for solo practitioners and small firms.