Skip to main content

Breach Response

The steps taken at CMS in response to a suspected breach of personally identifiable information (PII)

Contact: Incident Management Team | IMT@cms.hhs.gov
slack logoCMS Slack Channel
  • #ispg-sec_privacy-policy

Protecting sensitive information at CMS

CMS systems contain the personal and health information of millions of people in order to provide benefits and services. It is critical that we protect this sensitive information by making sure it is accessed only by the right people and only when necessary. When the safety of CMS information or information systems is threatened or compromised, we follow the steps prescribed by federal policies and guidelines to assess the risk and mitigate any resulting harm to individuals.

Incidents and breaches

Anytime there is a violation of computer security policies, acceptable use policies, or standard security practices at CMS, it is considered an incident. All security and privacy incidents at CMS must be reported to the CMS Information Technology (IT) Service Desk, so they can be assessed and mitigated by incident responders.

If an incident involves the loss of control or unauthorized disclosure of Personally Identifiable Information (PII), then the incident is considered a breach. Breaches begin as incidents until incident responders determine that PII has been affected. The compromise of other types of sensitive data, such as Personal Health Information (PHI) and Federal Tax Information (FTI), can also constitute a breach because they are (or can contain) PII.

Breach response activities will often take place alongside incident response activities such as containment, eradication, and recovery. Detailed information about incident response at CMS can be found in the CMS Risk Management Handbook Chapter 8: Incident Response.

Who participates in breach response?

Breach response has its own protocol separate from (but related to) incident response. It requires coordination among various stakeholders across CMS and HHS:

  • Personnel at the CMS Cybersecurity Integration Center who support CMS Incident Response (IR)
  • People within CMS responsible for ensuring system security and privacy – such as System and Business Owners (SO / BO), Information System Security Officers (ISSO), and Cyber Risk Advisors (CRA)
  • People at HHS who must cooperate in or approve CMS actions, including the HHS Privacy Incident Response Team (PIRT)
  • CMS Security and Privacy stakeholders who are responsible for developing cyber defense and response systems and must describe the process ecosystem for their services

Breach response steps

Breach response activities go through four stages: reporting, risk assessment, breach analysis, and notification and mitigation.

  1. Reporting

    The incident ticket submitted by the CMS IT Helpdesk is the first notice to CMS of a possible breach. The IT Helpdesk works with the individual reporting an incident to create an initial incident report as a deliverable to the Incident Management Team (IMT) and create a ticket to track the issue. The incident ticket is automatically mirrored in the equivalent HHS system.

  2. Risk assessment

    IMT works with the affected system’s officials and operators to investigate the incident. They assess whether any categories of sensitive data may be compromised. If so, the incident is considered a suspected breach. IMT conducts a formal risk assessment and convenes a Breach Analysis Team if necessary, providing the team with the IMT Risk Assessment as a deliverable.

  3. Breach analysis

    The Breach Analysis Team (BAT) convenes to review the risk assessment and categorizes the risk represented by the breach as low, moderate, or high. The BAT consists of stakeholders in leadership positions and security / privacy subject matter experts for the affected system. The team determines if the conditions of the breach warrant notifying the affected individuals. If so, the team drafts a Notification and Mitigation Plan to the HHS Privacy Incident Response Team (PIRT). The Business Owner of the system has the final decision on whether notification and mitigation will go forward.

  4. Notification and mitigation

    HHS PIRT reviews the Notification and Mitigation Plan. The PIRT may overrule the BAT on whether notification and mitigation are necessary or they may request changes to the plan. If the PIRT approves, the Business Owner of the affected system (and the COR if the affected system is a contractor system) are responsible for executing the approved plan.

Related documents and resources