Skip to main content

Breach Response

The Breach Response process at CMS manages incidents involving PII, PHI, or FTI. Steps include analyzing the breach and assessing the risk, as well as notifying individuals and mitigating any negative impacts according to a structured framework.

Last Reviewed: 2/6/2026

Contact: Incident Management Team | IMT@cms.hhs.gov

Protecting sensitive information at CMS

CMS systems contain the personal and health information of millions of people in order to provide benefits and services. It is critical that we protect this sensitive information by making sure it is accessed only by the right people and only when necessary. When the safety of CMS information or information systems is threatened or compromised, we follow the steps prescribed by federal policies and guidelines to assess the risk and mitigate any resulting harm to individuals.

Incidents and breaches

Anytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an incident. All security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk, so they can be assessed and mitigated by incident responders.

If an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a breach. Breaches begin as incidents until incident responders determine that PII has been affected. The compromise of other types of sensitive data, such as Personal Health Information (PHI) and Federal Tax Information (FTI), can also constitute a breach because they are (or can contain) PII.

Breach response activities will often take place alongside incident response activities such as containment, eradication, and recovery.

Who participates in breach response?

Breach response has its own protocol separate from (but related to) incident response. It requires coordination among various stakeholders across CMS and HHS:

  • Personnel at the CMS Cybersecurity Integration Center (CCIC) who support CMS Incident Response (IR)
  • People within CMS responsible for ensuring system security and privacy – such as System and Business Owners (SO / BO), System Security and Privacy Officer (previously known as ISSO), and Cyber Risk Advisors (CRA)
  • People at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)
  • CMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services

Breach response steps

Breach response activities go through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.

  1. Reporting

    The incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial incident report as a deliverable to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.

  2. Risk assessment

    IMT works with the affected system’s officials and operators to investigate the incident. They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. IMT conducts a formal risk assessment and convenes a Breach Analysis Team if necessary, providing the team with the IMT Risk Assessment as a deliverable.

  3. Breach analysis

    The Breach Analysis Team (BAT), composed of leadership stakeholders and security and privacy subject matter experts for the affected system, convenes to review the risk assessment and categorize the breach as low, moderate, or high. The BAT determines whether the breach warrants notification of affected individuals and, if required, drafts a Notification and Mitigation Plan for the HHS Privacy Incident Response Team (PIRT). The system’s Business Owner makes the final decision on whether notification and mitigation will proceed. 

    Check out the CMS Breach Response Plan here.

     

  4. Notification and mitigation

    HHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.