| Misdirected clinical record | Identify sender, recipient, purpose, minimum-necessary expectations, mitigation, and whether the recipient used or retained the information. | Review address selection, secure-message controls, warning prompts, transmission safeguards, and workforce procedure. | Analyze the nature and extent of PHI, unauthorized person, acquisition or viewing, and mitigation; document the conclusion. | Preserve the message, recall attempts, recipient confirmation, interviews, policy, training, decision, and corrective action. |
| Ransomware affecting ePHI | Control workforce and third-party disclosures during response and patient communications. | Investigate access, malware behavior, encryption status, segmentation, logging, backups, contingency operations, and recovery. | Evaluate whether ePHI was acquired or viewed and apply the required breach risk assessment rather than making assumptions. | Retain forensic facts, timeline, containment, restore evidence, leadership decisions, notifications, and risk-reduction work. |
| Vendor support account abused | Confirm the vendor’s authorized purpose and whether access exceeded that purpose. | Review unique identity, MFA, privilege, session logs, remote access, monitoring, termination, and contract safeguards. | Coordinate facts and deadlines with the business associate; determine affected individuals and notification responsibilities. | Preserve the BAA, due diligence, access approvals, logs, vendor notices, investigation, and changes to oversight. |