Communicating in Crisis: Lessons learned from healthcare breaches

Cybersecurity has quickly become one of the most challenging issues for modern organizations.  As technologies evolve into previously unfathomable levels of sophistication, so too do the attack methods used by threat actors. Bad actors are using the same innovative technologies companies use to advance innovation and drive growth. Artificial Intelligence and deepfakes, among other tools, help cyber criminals socially engineer their attacks to significantly enhance their sophistication and impact. And as the risk grows, so does the threat to reputations that brands have taken years to build.

When we consider cybersecurity within the healthcare industry, hospitals and healthcare systems are often top of mind. As consumers and patients, we know these organizations access our data to inform care and enhance the patient experience. But hospitals and doctors’ offices are not the only targets.

Medical devices, health insurance companies, biotechnology industries, and pharmaceuticals are among the targets of bad actors. In fact, medical devices and third-party vendors represent some of the weakest points in the industry. Look no further than the recent MOVEit breach that impacted Harris Health System, Johns Hopkins Medicine and UofL Health among a myriad of other organizations and businesses across industries.

According to a NetDiligence Cyber Claims Study, the healthcare industry was the second-leading sector in terms of claims, topped only by professional services firms. Of these claims, the top causes of data loss in the healthcare industry were ransomware, staff mistakes, and hackers.

Although arguably more important from the patient care and reputation risk perspective is that a large percentage of cybersecurity incidents do not expose records at all. These events, which make up 24 percent of cyber claims, lock users out of databases, systems or networks vital to medical professionals, posing a greater threat to care.

While secure systems, effective preparation and rapid response are critical from the operational, patient care, and business continuity perspectives, how should healthcare organizations mitigate the reputation risk associated with these omnipresent threats? And how can organizations effectively use communications to assist in these efforts?

Argyle’s Data Intelligence Team conducted a series of analyses to dig deeper into this query. Through examining cases across the healthcare industry, the team came to the following three key conclusions on best practices when navigating internal & external communications amidst a cyber breach.

1. Response time has a measurable impact on reputation. Taking longer than six months to go public with a breach creates a far higher risk of lawsuits, which are often class actions. The ensuing media buzz that results often generates an uncontrollable narrative for the attacked organization. In most cases, conversation then revolves around whether the organization followed best practices and notified quickly enough. This standard is also evolving as regulatory agencies increase their scrutiny and enforcement as we’ve seen most recently with the Securities Exchange Commission’s rule requiring public companies to disclose material cyberattacks within four days of determining the event was material.

Michigan Medicine, the University of Michigan’s Hospital System, avoided such scrutiny by conducting a thorough investigation and conveying its findings in a timely manner despite the hospital’s large size. Just 65 days passed from the hospital’s first detection of suspicious activity in its system and a press release announcing the attack.  As a result, only 1.25% of conversation about Michigan Medicine pertained to the breach in the six following months. This is extremely low for a cyber event, especially when compared to our next case study, CommonSpirit Health.

2. Social media plays a critical role in privacy and cybersecurity communications. Companies that lack transparency on social media during a public breach announcement are often perceived as withholding information—whether accurate or not. Actively amplifying public updates using all appropriate communications channels, including social media, strengthens transparency and reach. CommonSpirit Health, one of the largest non-profit health systems in the US with more than 1,000 care sites nationwide, was the victim of a privacy event resulting from ransomware activity on its network in October of 2022. While the health system presented an easily digestible webpage dedicated to the breach, it failed to leverage its social media platforms to amplify this messaging, leaving many unaware of the information they sought. As a result, 55% of conversation about CommonSpirit Health in the months that followed pertained to the breach.

3. Communicating consistent, clear updates are key. While this may seem obvious, the general sense of restlessness and angst that victims of a breach experience stem largely from a lack of clear, accessible information and answers. Knowing, as soon as possible, what information was accessed and when is critical to the affected population. This is an area where HCA Healthcare excelled in maximizing transparency by doing so.

As recently as July 5, this group shared a press release, stating an “unknown and unauthorized party” published HCA Healthcare patient data on an online forum at an undisclosed time. Following the release, HCA signified the potential for change given risks and scenarios beyond the healthcare group’s control. Not only had HCA been transparent about what was accessed during its data security incident, but the company also explicitly named what it believed had not been accessed.

A list of Frequently Asked Questions revealed the call center did not open until July 10, five days after the release. Further, HCA did not begin notifying patients via email until July 14. Yet during the period between the release and notification from HCA, social commentary on the incident only aimed to amplify the news. It did not discuss a lack of transparency or express confusion. There is a clear correlation between this lack of discussion and the incredible transparency HCA Healthcare displayed.

Breaches represent major reputational crises for companies ill prepared to communicate in the wake of a cyber-attack. To communicate through such a crisis respectfully and effectively is no small feat. Doing so requires a coordinated effort from many parties to consider and engage all stakeholders both internal and external. If executed properly, these efforts will allow brands to emerge with a protected, if not elevated reputation.

Contact our experts on the Reputation, Risk and Advisory team here.

About the Authors

Sarah Tenner

Get in Touch

Every relationship starts with a conversation. Drop us a line and let’s talk.

An Argyle team member will respond personally as soon as possible. If your matter is urgent, please also call us at (202) 494-4070.