CMS Breach Response Plan

Introduction

This Breach Response Plan defines the actions that Breach Response Teams must take in case of suspected breaches of Personally Identifiable Information (PII) and Protected Health Information (PHI) at the Centers for Medicare & Medicaid Services (CMS) to meet federal requirements. 

The plan includes roles and responsibilities, breach response deliverables and lines of communication, triggers for federal reporting requirements, and resources from the Department of Health and Human Services (HHS) and other authorities. The plan is structured to meet the requirements of OMB Memorandum M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (PDF).

This Breach Response Plan helps to ensure a coordinated response from all entities responsible for investigating and mitigating a breach, including organizations internal and external to CMS, as well as those responsible for remediating any identified process shortfalls.

Breach Response Teams 

HHS Breach Response Team 

The HHS Breach Response Team is the group of HHS officials designated by the HHS Secretary that may be convened to respond to a breach. Once convened, the HHS Senior Agency Official for Privacy (SAOP) is responsible for leading the Breach Response Team.  

At a minimum, the HHS Breach Response Team must include the following officials required by OMB Memorandum M-17-12: 

• HHS SAOP/Chief Information Officer (CIO) (Chair) 
• HHS Chief Information Security Officer (CISO)
• HHS legal counsel (a representative of the HHS Office of the General Counsel) 
• An HHS legislative affairs official (a representative of the HHS Assistant Secretary for Legislation (ASL))
• An HHS communications official (a representative of the HHS Assistant Secretary for Public Affairs (ASPA))

At the discretion of the HHS SAOP, representatives from additional HHS offices and Staff Divisions may be engaged to provide expertise and advice to the HHS Breach Response Team. Examples include, but are not limited to, representatives from acquisitions, budget, human resources, law enforcement, physical security, and any other personnel who may be necessary according to specific HHS missions, authorities, circumstances, and identified risks. The HHS SAOP must ensure that appropriate subject matter experts who can identify statutory or regulatory reporting requirements are part of the HHS Breach Response Team.

As defined by OMB M-25-04, in the event of a breach constituting a major incident, the HHS SAOP may determine that organizations on the HHS Breach Response Team must be represented by a member of their senior leadership. The HHS SAOP will also engage representatives of the HHS Secretary and Deputy Secretary.  

Privacy and Information Management (PIM) at HHS is responsible for providing administrative support to the HHS Breach Response Team. Organizations represented on the HHS Breach Response Team must provide the names and contact information for a representative and an alternate. Organizations must also provide the name and contact information of a senior member to support the response to a major incident. 

CMS Breach Response Team

CMS must establish its own Breach Response Team consistent with the HHS Breach Response Plan, OMB guidance, and applicable law. CMS must identify a Breach Response Team Chair to serve as the primary coordinator of breach response activities and point of contact for the HHS Breach Response Team. At a minimum, the CMS Breach Response Team must be convened as part of the response whenever a breach impacting CMS is submitted to the HHS Breach Response Team for review.

The CMS Breach Response Team must include, at a minimum: 

• CMS Office of the Administrator (Chief Operating Officer (COO)) or Deputy
• CMS Senior Official for Privacy (SOP)
• CMS Chief Information Officer (CIO) or Deputy
• CMS Chief Information Security Officer (CISO) or Deputy
• CMS legal counsel (a representative of the Office of the General Counsel for the CMS Division) 
• CMS Office of Legislation Representative 
• CMS Office of Acquisitions and Grants Management Representative 
• CMS Office of Communication Representative
• Representative from the Affected Program Office 

The CMS SOP must ensure that appropriate subject matter experts who can identify statutory or regulatory reporting requirements are part of the CMS Breach Response Team. If more than one program office is affected the CMS SOP (or Breach Response Team Chair) will have final decision-making authority to ensure a single consistent response. Since CMS is a covered entity for the Medicare Fee for Service Program and has business associates (as defined under the HIPAA Privacy Rule at 45 C.F.R. § 160.103) the breach response team must also have representatives who can identify if the breach is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and what HIPAA requirements apply. 

Reporting suspected or confirmed breaches to HHS

CMS is responsible for reporting all suspected or confirmed breaches to the HHS Computer Security Incident Response Center (CSIRC) and PIM via HHS Breach Response Tool. If the HHS Breach Response Tool is not in use or is unavailable, then CMS must use a reporting mechanism or process pursuant to the terms of the HHS Breach Response Policy Tracking and Documenting the Response to a Breach. CMS may supplement their report by notifying PIM in writing at PrivacyProgramMailbox@hhs.gov. Reporting must take place as soon as possible and without unreasonable delay, and reporting shall not be contingent upon an investigation. Upon receiving the report, PIM may request additional information. When multiple reporting frameworks or requirements apply, CMS will follow the stricter applicable standard.

Reporting to U.S. Cybersecurity and Infrastructure Security Agency (CISA)

As HHS’s principal cybersecurity operations center, the Computer Security Incident Response Center (CSIRC) is responsible for notifying CISA of breaches consistent with HHS policy (including, as applicable, the HHS Information Systems Security and Privacy Policy (IS2P)  and HHS CSIRC Concept of Operations), and CISA notification guidelines.

Investigating a breach

Once a suspected or confirmed breach has been reported, CMS must begin investigating to confirm the breach and the potential risk of harm. While this document is organized linearly, due to the nature of breach response, many response activities will occur in tandem. Breach response must always be tailored to the facts of the specific breach.

Confirming a breach has occurred

The CMS SOP, in coordination with Affected Program Offices and the CMS Breach Response Team, will assess whether the data involved in the potential breach is PII (i.e., whether the information can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual). In performing this assessment, it is important to recognize that information that is not PII can become PII whenever additional information becomes available—in any medium or from any source—that would make it possible to identify an individual.

If the breach involves third parties (e.g., contractors, subcontractors, grantees), the Affected Program Office must confirm whether the data involved is federal data. It may be necessary for the Affected Program Office to consult with experts (e.g., legal counsel, Contracting Officer(s)) to make this determination.

Investigating and responding to breaches involving contractors

For all breaches involving contractors or subcontractors, the Affected Program Office must immediately ensure the Contracting Officer Representative (COR) and Contracting Officer (CO) are aware of the breach. Contractors must report suspected breaches within one hour of discovery and must fully cooperate in investigations, including providing necessary information or forensic artifacts. The CO must be included in all communication with the contractor regarding a breach. Communication with a contractor involved in a breach must be coordinated with and through the CO. Any direction to a contractor to act under the contract related to breach response (e.g., providing notification to potentially affected individuals) must come from the CO.

The relevant CO(s) must serve on the CMS Breach Analysis Team for all breaches involving contractors or subcontractors. For any breaches involving contractors or subcontractors, the CMS Breach Response Team must review the contract to determine the privacy compliance and breach response obligations the contractor or subcontractor has pursuant to the contract. The CO will serve as the authority on the contractor’s privacy compliance and breach response obligations pursuant to the contract. 

Identifying applicable privacy compliance documentation

When responding to a breach, the Affected Program Office, in coordination with the CMS SOP, must identify all applicable privacy compliance documentation, including System of Records Notice (SORN), Privacy Impact Assessments (PIAs), and privacy notices. This documentation helps identify what information and populations were potentially affected, as well as the purpose for which the information was originally collected, the permitted uses and disclosures of the information, and other information that may be useful when developing the CMS response.  

When reviewing privacy compliance documentation in response to a breach, the CMS SOP must, at a minimum, consider the following: 

• Which SORNs, PIAs, and privacy notices apply to the potentially compromised information? 
• If PII maintained as part of a system of records needs to be disclosed to a party other than an HHS official or employee as part of the breach response, is the disclosure permissible under the Privacy Act and, if permissible, how will the disclosure be documented in the accounting of the disclosures HHS maintains for the system of records? 
• If additional PII is necessary to contact or verify the identity of individuals potentially affected by the breach, does that information require new or revised SORNs or PIAs? 
• Are the relevant SORNs, PIAs, and privacy notices accurate and up to date? 

Information sharing in response to a breach 

When responding to a breach, the CMS Breach Response Team, in coordination with the Affected Program Office, often needs additional information to reconcile or eliminate duplicate records, identify potentially affected individuals, or obtain contact information to provide notification. Accordingly, Affected Program Offices and CMS Breach Response Team may need to combine information maintained in different information systems within HHS, share information between agencies, or share information with a non-Federal entity. 

When contemplating the potential information sharing that may be required in response to a breach, Affected Program Offices and CMS Breach Response Teams must consider the following: 

• Would the information sharing be consistent with applicable law and with existing agreements or require new data use agreements, information exchange agreements, or memoranda of understanding? 
• How will PII be transmitted and protected when in transmission, for how long will it be retained, and may it be shared with third parties? 

Identifying requirements for additional reporting  

When responding to a breach, CMS Breach Response Teams, in coordination with the Affected Program Office, must identify what additional reporting requirements may apply. For example, certain information and information systems may be subject to other reporting requirements, including the HIPAA Breach Notification Rule. The CMS SOP must ensure that appropriate subject matter experts who can identify those requirements are part of the CMS Breach Response Team. 

The CMS Breach Response Team must also coordinate with the HHS Breach Response Team to identify whether reporting to law enforcement, Office of Inspector General, and/or Office for Civil Rights is appropriate or required. 

When a breach warrants a report to law enforcement, CMS Breach Response Teams must ensure that the report occurs promptly, even if the breach is unconfirmed or the circumstances are still unclear. Prompt referral to law enforcement can prevent PII from being further compromised and, in some cases, can reduce the risk of harm to potentially affected individuals.   

Assessing the potential risk of harm to affected individuals

To properly escalate and tailor breach response activities, CMS Breach Response Teams must conduct and document an assessment of the risk of harm to individuals potentially affected by a breach. The HHS Breach Response Team will review and affirm the CMS Breach Response Team’s risk assessment and findings. The risk assessment must consider the following factors:

• Nature and sensitivity of the PII
• Likelihood of access to and use of PII
• Type of breach

For detailed explanations and guidance for each factor, please see Factors for Assessing the Risk of Harm to Potentially Affected Individuals.   

When assessing the risk of harm to individuals potentially affected by a breach, CMS Breach Response Teams must consider the potential harm that could result from the loss or compromise of PII. Such harms may include the effect of a breach of confidentiality or fiduciary responsibility, the potential for blackmail, the disclosure of private facts, mental pain and emotional distress, financial harm, the disclosure of contact information for victims of abuse, the potential for secondary uses of the information which could result in fear or uncertainty, or the unwarranted exposure leading to humiliation or loss of self-esteem. 

Additionally, pursuant to the Privacy Act, HHS must establish appropriate administrative, technical, and physical safeguards to ensure the security and confidentiality of records to protect against any anticipated threats or hazards to the security or integrity of records which could result in “substantial harm, embarrassment, inconvenience, or unfairness to any individual on whom information is maintained.” 

CMS Breach Response Teams must consider all risks relevant to the breach, which may include risks to HHS, HHS information systems, HHS programs and operations, the Federal Government, or national security. Those additional risks may influence HHS’s overall response to a breach, and the steps HHS should take to notify individuals. CMS acknowledges that different standards may apply in some cases and will err on the side of caution when determining whether notification is necessary.

Convening the HHS Breach Response Team

The HHS SAOP or designee will determine whether to convene the HHS Breach Response Team upon becoming aware of a report of a suspected or confirmed breach.

Breaches that do not pose a reasonable likelihood of harm

CMS is empowered by HHS to complete their investigation and mitigation. This investigation must include an assessment of the potential risk of harm to potentially affected individuals. CMS must submit the results of their investigation and mitigation to PIM. PIM reviews the submitted information and either approves the “closure” of the breach record or asks CMS to provide additional information or mitigation activities.

Breaches requiring notification to potentially affected individuals 

If the CMS Breach Response Team or PIM determines that the potential risk of harm to potentially affected individuals warrant notification, PIM will alert the HHS Breach Response Team on behalf of the HHS SAOP. The Affected Program Office and CMS Breach Response Team are responsible for developing a robust response plan and a draft of the notification letter(s). The Affected Program Office is responsible for obtaining CMS Breach Response Team approval for the draft notification letter prior to submitting it to the HHS Breach Response Team. The breach response plan and draft notification letter must complete CMS clearance procedures prior to submission to the HHS Breach Response Team.  

The HHS Breach Response Team will convene to review the response plan and draft notification letter(s). Member(s) of the CMS Breach Response Team (usually the SOP and CISO), including a representative(s) from the Affected Program Office, must attend the HHS Breach Response Team meeting to respond to questions about the breach and its investigation and mitigation. The HHS Breach Response Team must approve all notification materials (including method of notification and Notifying Official), and mitigation services (e.g., credit monitoring) must be approved by the HHS Breach Response Team prior to issuance.

Mitigating the risk of harm to individuals potentially affected by a breach 

After assessing the risk of harm to individuals potentially affected by a breach, the CMS Breach Analysis Team must consider how best to mitigate the identified risks. Because each breach is fact-specific, the decision of whether to offer guidance or provide services to individuals will depend on the circumstances of the breach. The CMS Breach Analysis Team must consider the risk of harm determined in accordance with OMB M-17-12; for detailed explanations and guidance, please see Factors for Assessing the Risk of Harm to Potentially Affected Individuals.   

CMS Breach Response Team must determine and document the actions that the CMS will take to mitigate the risk of harm based on recommendations by the CMS Breach Analysis Team. The HHS Breach Response Team will review and affirm the decisions made by the CMS Breach Response Team.  

Countermeasures

When determining how to mitigate the risk of harm to individuals potentially affected by a breach, CMS Breach Response Teams must consider what countermeasures they can take.  Countermeasures may not always prevent harm to potentially affected individuals but may limit or reduce the risk of harm. If the information is only useful in a specific context, there may be context-specific countermeasures that can be taken to limit the risk of harm. For example, if information related to disability beneficiaries is potentially compromised, CMS Breach Response Teams may consider monitoring beneficiary databases for unusual activity that may signal fraudulent activity, such as a sudden request for a change of address. Similarly, if individuals’ passwords are potentially compromised in a breach, CMS Breach Response Teams should require those users to change their passwords.

Guidance

When determining how to mitigate the risk of harm to individuals potentially affected by a breach, the CMS Breach Response Team must consider providing guidance to those individuals on how they can mitigate their own risk of harm. For example, to mitigate the risk of harm resulting from a breach, individuals can set up fraud alerts or credit freezes, change or close accounts, and utilize services made available by the Federal Trade Commission (FTC).  Information available at IdentityTheft.gov/databreach can be leveraged as the baseline when drafting guidance. Additionally, CMS Breach Response Teams may advise individuals to change passwords and encourage the use of multi-factor authentication for account access. 

For examples of mitigation actions to reduce the risk of harm, see Examples of Guidance and Services HHS May Offer.  

Services

When determining how to mitigate the risk of harm to individuals potentially affected by a breach, CMS Breach Response Teams must determine if there are services that address the types of risk posed by the breach. Many of the services currently available only mitigate risks of financial identity theft, and even the most comprehensive services are unable to mitigate the potential harms resulting from the evolving threat and risk landscape. When selecting services, CMS Breach Response Teams must identify those services that best mitigate the specific risk of harm resulting from the breach. 

As a general practice, services such as credit or identity monitoring may be offered by default in instances where highly sensitive identifiers, such as Social Security Numbers or financial account numbers, are involved. If CMS Breach Response Teams determine that no service currently available mitigates a specific risk of harm, they may make a recommendation to the HHS Breach Response Team to not provide services to potentially affected individuals. Choosing not to provide services is a decision separate from the decision to provide notification, and there may be circumstances where potentially affected individuals are notified but not provided services. The HHS Breach Response Team must approve the decision to provide credit monitoring and/or other services. 

When choosing identity monitoring, credit monitoring, and other related services to mitigate the risk of harm to individuals potentially affected by a breach, CMS Breach Response Teams should utilize the U.S. General Services Administration (GSA) Blanket Purchase Agreements (BPAs) in accordance with OMB Memorandum M-16-14 (PDF).

For examples of mitigation services to reduce the risk of harm, see Examples of Guidance and Services HHS May Offer.

Notifying individuals potentially affected by a breach

CMS Breach Response Teams must consider the assessed risk of harm (see assessing risk of harm to affected individuals earlier in this plan) when making a recommendation to the HHS Breach Response Team on whether to notify individuals potentially affected by a breach. The HHS SAOP, in coordination with the HHS Breach Response Team, is responsible for determining and, as appropriate, advising the HHS Secretary whether and when to notify individuals potentially affected by a breach.  

If the HHS Breach Response Team approves guidance, countermeasures, or services to potentially affected individuals, it will be necessary to notify those individuals of the breach and of the steps taken to mitigate any identified risks, particularly if any of those steps require action on their part. For example, if the HHS Breach Response Team decides to approve identity and credit monitoring for individuals potentially affected by a particular breach, the Notifying Official must notify those individuals so that they can use the service. The Notifying Official may also choose to notify those individuals even when not providing a specific service. For example, the HHS Breach Response Team may decide to notify individuals that their passwords were potentially compromised by a breach and offer guidance but no services. 

When making their recommendation to the HHS Breach Response Team, CMS Breach Response Teams must balance the need for transparency with concerns about over-notifying individuals.  Notification may not always be helpful to potentially affected individuals, and CMS Breach Response Teams should exercise care to evaluate the benefit of providing notice to individuals or notifying the public.

In circumstances where multiple notification requirements apply to a breach (e.g., HIPAA breach notification requirements), CMS Breach Response Teams should provide a notice to potentially affected individuals that complies with all applicable requirements.

When a determination is made that it is necessary to notify individuals potentially affected by a breach, the HHS Breach Response Team, with the recommendation of the CMS Breach Response Teams, must consider the factors described in the following sections.

Source of the notification (Notifying Official)

When notification is necessary, helpful, or otherwise required, the HHS Secretary, or a senior-level individual he or she may designate, must be the source of the notification to potentially affected individuals (the “Notifying Official”). When a breach involves an HHS CMS, the CMS Head should act as the Notifying Official. With the approval of the HHS Breach Response Team, CMS Heads may designate a senior official as the Notifying Official. 

Source of notifications for breaches involving contractors

When PII is created, collected, used, processed, stored, maintained, disseminated, disclosed, or disposed of by a contractor or subcontractor on behalf of HHS (including contractors or subcontractors of a CMS) is involved in a breach, CMS Breach Response Teams may recommend that the HHS SAOP require the contractor to act as the Notifying Official. In accordance with the HHS Policy for Information Technology Procurements - Security and Privacy Language, contractors or subcontractors should not provide notification without prior approval from the HHS Breach Response Team and appropriate direction from the applicable Contracting Officer. 

Timeliness of the notification

The Notifying Official must notify individuals potentially affected by a breach as expeditiously as practicable, without unreasonable delay, and in accordance with applicable law, including HIPAA, when applicable. As a practical matter, the Notifying Official should avoid providing multiple notifications for a single breach and should balance the timeliness of the notification with the need to gather and confirm information about a breach and assess the risk of harm to potentially affected individuals. If a technical issue contributed to the breach, the Notifying Official, in coordination with the CMS Breach Response Team and the HHS Breach Response Team, may also consider whether the issue has been corrected or resolved prior to providing notification. 

The Attorney General, the head of an element of the Intelligence Community, or the Secretary of the Department of Homeland Security (DHS) may instruct HHS to delay notifying individuals potentially affected by a breach if the notification would disrupt a law enforcement investigation, endanger national security, or hamper security remediation actions. Any instruction to delay notification must be sent to the HHS Secretary.

Contents of the notification

Notification provided to individuals potentially affected by a breach must be concise and use plain language. Notifications should avoid generic or repetitive language and should be tailored to the specific breach. In some instances, the Affected Program Office, in coordination with the CMS Breach Response Team, may need to draft different notifications for different populations affected by the same breach. The HHS Breach Response Team must approve the contents of notifications prior to distribution.  

At a minimum, notifications must include the following:

• An introductory sentence stating directly that the letter is for the purpose of reporting a breach of the individual’s personally identifiable information
• A brief description of what happened, including the date(s) of the breach and of its discovery
• A description of the types of PII compromised by the breach (e.g., full name, SSN, date of birth, home address, account number, and disability code), to the extent possible 
• A statement of whether the information was encrypted or protected by other means, when it is determined that disclosing such information would be beneficial to potentially affected individuals and would not compromise the security of the information system
• Guidance to potentially affected individuals on how they can mitigate their own risk of harm, countermeasures being taken, and services being provided to potentially affected individuals, if any
• Steps being taken, if any, to investigate the breach, to mitigate losses, and to protect against a future breach 
• A description of how potentially affected individuals can learn more information about the breach, including a telephone number (preferably toll-free), email address, and postal address

The Affected Program Office, in coordination with the CMS Breach Response Team and approved by the HHS Breach Response Team, may provide additional details in a Frequently Asked Questions (FAQ) format on the HHS website or via an enclosure. The online FAQs may be beneficial because they can be easily updated, contain links to more information, provide more tailored information than the formal notification, and can be easily translated into multiple languages. 

For a breach that potentially affects a large number of individuals, or as otherwise appropriate, the Affected Program Office, in coordination with the CMS Breach Response Team and approved by the HHS Breach Response Team, should establish toll-free call centers staffed by trained personnel to handle inquiries from the potentially affected individuals. If the Affected Program Office knows that the potentially affected individuals or a subset thereof are not English speaking, or require translation services, notification should also be provided in the appropriate languages to the extent feasible.   

Method of notification

The HHS Breach Response Team must approve the method for providing notification. First-class mail notification to the last known mailing address of the individual in HHS records should be the primary means by which notification is provided. However, the best method for providing notification will potentially depend on the number of individuals affected, the available contact information for the potentially affected individuals, and the urgency with which the individuals need to receive the notification. See Methods of Notification for more information about providing notification via mail, telephone, or email, or via substitute notification. All notification language must be approved by the HHS Breach Response Team prior to distribution.

Special considerations

When a breach potentially affects a vulnerable population, the Notifying Official may need to provide a different type of notification to that population or provide a notification when it would not otherwise be necessary. There may be instances when the Notifying Official provides notification to individuals other than those whose PII was potentially compromised. For example, when the individual whose information was potentially compromised is a child, the Notifying Official may provide notification to the child’s legal guardian(s). Special care may be required to determine the appropriate recipient in these cases.

The Affected Program Office, in consultation with the HHS Breach Response Team and CMS Breach Response Team, must also give special consideration to providing notice to individuals who are visually or hearing impaired consistent with Section 508 of the Rehabilitation Act of 1973, as amended. Accommodations may include establishing a Telecommunications Device for the Deaf (TDD) or posting a large-type notice on HHS.gov.

Follow-up notifications to affected individuals

If the investigation determines there has been a significant change to the potential risk facing affected individuals, additional notifications to affected individuals may be appropriate. For example:

• An individual’s information was not actually affected by the breach 
• Additional sensitive data elements are found to have been affected by the breach
• Evidence of misuse of the breached information is discovered

The Affected Program Office, in coordination with the CMS Breach Response Team, is responsible for developing the follow-up notification letter. The follow-up notification letter must be approved by the HHS Breach Response Team prior to being issued.

Responding to a breach constituting a major incident

Major incidents have additional reporting requirements, published in annual guidance from OMB. Users of this Plan should consult the guidance in effect at the time of the incident. As of the issuance of this Plan, a major incident is either:

“A. Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies should determine the level of impact of the incident by using the existing incident management process established in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Computer Security Incident Handling Guide, or

B. A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people.”

OMB further requires the determination of a major incident for any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to the PII of 100,000 or more people.

As with all HHS breach response activities, the ultimate authority and decision-making ability for HHS major incident breach response lies with the HHS Secretary and HHS SAOP.

Reporting a potential major incident to HHS

If a breach has the potential to be a major incident as defined by OMB or to otherwise draw significant media, public, or Congressional interest, the CMS Breach Response Team must alert PIM and CSIRC as soon as possible and without unreasonable delay that they believe there is a reasonable basis to conclude that a breach constitutes a major incident. 

PIM will alert the HHS SAOP of the report of a potential major incident. With SAOP concurrence, PIM will inform the HHS Breach Response Team (see Confirming a breach has occurred section) of the potential major incident so they may be prepared to respond. The HHS SAOP will also alert representatives from the offices of the HHS Secretary and Deputy Secretary.

With HHS SAOP approval, the HHS and CMS Breach Response Teams, in coordination with CSIRC and PIM, may consult with CISA and/or the OMB Office of the Federal CIO (OMB OFCIO) to obtain their guidance as to whether there is a reasonable basis to conclude that a breach is a major incident.

Determining a breach is a major incident

The determination that there is a reasonable basis to conclude that a breach is a major incident is made by the CMS Breach Response Team with the approval of the HHS SAOP. The HHS SAOP has the ultimate authority to determine that there is a reasonable basis to conclude that a breach constitutes a major incident. In the event of a major incident, the HHS SAOP may determine that organizations on the HHS Breach Response must be represented by a member of their senior leadership. The HHS SAOP will establish a cadence for HHS Breach Response Team meetings and updates from the CMS Breach Response Team. 

The CMS Breach Response Team is responsible for developing a major incident response plan, including points of contact and their corresponding responsibilities and response timelines, and submitting it to the HHS Breach Response Team for approval. 

Initial notification to CISA and OMB Office of the Federal CIO

The HHS SAOP, supported by the chair of the CMS Breach Response Team, must inform CISA and the OMB Office of the Federal CIO (OMB OFCIO) within one hour of determining there is a reasonable basis to conclude that a breach constitutes a major incident. 

Upon receiving notification, OMB will set up a meeting for HHS to brief OMB OFCIO. The HHS Breach Response Team and the CMS Breach Response Team are responsible for ensuring all necessary individuals are on the call. 

Notification to Congress and HHS Office of the Inspector General (OIG)

Once HHS has determined there is a reasonable basis to conclude that a major incident has occurred, HHS must notify Congress and the HHS Office of the Inspector General (OIG) within seven days.

The CMS Breach Response Team is responsible for developing the content of the report and submitting it to the HHS Breach Response Team for approval. This report should consider the information known at the time of the report, the sensitivity of the details associated with the incident, and the classification level of the information. 

All materials must be reviewed and approved by the HHS Breach Response Team. The review and approval process will determine who will submit the report to Congress and HHS OIG. The report is not to be submitted until that determination is made by the HHS Breach Response Team.

Supplemental reporting to Congress

Agencies are required to supplement their initial major incident notifications to Congress with pertinent updates within a reasonable period of time after additional information relating to the incident is discovered. The CMS Breach Response Team is responsible for developing any supplemental reports and submitting them to the HHS Breach Response Team for approval. The supplemental report must include summaries of:

• The threats and threat actors, vulnerabilities, and impacts relating to the incident 
• The risk assessments conducted on the affected information systems before the date on which the incident occurred 
• The status of compliance of the affected information systems with applicable security requirements at the time of the incident
• The detection, response, and remediation actions taken

Agencies must also submit another report no later than 30 days after the agency discovers a breach constituting a major incident. The CMS Breach Response Team is responsible for developing a comprehensive 30-day supplemental report that includes the items above, as well as summaries of:

• A summary of information available about the breach, including how the breach occurred, based on information available to agency officials on the date the agency submits the report 
• An estimate of the number of individuals affected by the breach, including an assessment of the risk of harm to affected individuals based on information available to agency officials on the date the agency submits the report
• A description of any circumstances necessitating a delay in providing notice to affected individuals 
• An estimate of whether and when the agency will provide notice to affected individuals (per OMB M-25-04 (PDF)

All supplemental reports must be reviewed and approved by the HHS Breach Response Team. The review and approval process will determine who will submit the report to Congress. The report is not to be submitted until that determination is made by the HHS Breach Response Team.

Other communication related to major incidents

Communication with the Executive Office of the President (EOP) Agencies 

Any communication with OMB, the Office of the National Cyber Director (ONCD), the National Security Council (NSC), or other offices in the EOP will be issued by the HHS Breach Response Team after internal Office of the HHS Secretary (OS) coordination and approval. Should any Executive Office of the President (EOP) organization reach out directly to the affected CMS regarding the breach, that communication must be sent to the HHS SAOP prior to replying. The HHS SAOP will determine what other offices, if any, are necessary to review the proposed reply. Any replies must be approved by the HHS SAOP prior to issuing a response.

Communication with Congress

Any communication issued to Congress must be approved by the HHS Breach Response Team Assistant Secretary for Legislation (ASL) representative before issuance. Any communication from Congress must be submitted to the ASL representative for review. The ASL representative will coordinate within HHS as needed.

Communication with the media

Any press releases issued to the media must be approved by the HHS Breach Response Team Assistant Secretary for Public Affairs (ASPA) representative before issuance. Any inquiries from the media must be submitted to the ASPA representative for review. The ASPA representative will coordinate within HHS as needed.

Communication with law enforcement 

If applicable, the CMS Breach Response Team, in coordination with the HHS Breach Response Team, will communicate with relevant law enforcement organizations. 

Communication with the HHS Office for Civil Rights (OCR)

If applicable, coordination on HIPAA matters with OCR will be executed by the HHS Breach Response Team, in collaboration with the CMS Breach Response Team.

Annual reporting 

To meet Federal Information Security Modernization Act (FISMA) requirements, CMS must report annually to the Office of Management and Budget (OMB) and the Department of Homeland Security (DHS) on the status of its information security and privacy programs. These reports are based on metrics developed collaboratively by OMB, CISA, and interagency partners and include CIO, Inspector General (IG), and SAOP metrics. CIO metrics track implementation of NIST standards, Executive Orders, and cybersecurity initiatives, emphasizing risk management and governance rather than compliance. 

IG metrics evaluate the effectiveness of CMS’s information security programs through independent assessments conducted on an annual or multi-year cycle, focusing on practical risk-based evaluations. SAOP metrics address privacy management, requiring annual submission of key privacy documents such as the agency’s privacy program plan, breach response plan, and continuous monitoring strategy. 

In alignment with FISMA and OMB guidance, the CMS Administrator must also submit an annual signed letter to OMB and DHS verifying awareness and validation of the agency’s FISMA report. This letter must assess the adequacy and effectiveness of CMS’s information security policies, provide incident and breach details, and describe major incidents, including the affected systems, vulnerabilities, and remediation actions. In addition to annual reports being submitted to OMB and DHS, FISMA requires CMS to submit the annual FISMA reports to the Chairman and Ranking Members of select Congressional Committees as well as the Comptroller General of the United States.

Roles and responsibilities

CMS Administrator

The responsibilities of the CMS Administrator include, but are not limited to, the following: 

• Provide a representative to the CMS Breach Response Team in the event of a major incident (the COO, Deputy COO, or both)
• Act as the Notifying Official 
• Obtain the approval of the HHS Breach Response Team prior to designating a senior official as a Notifying Official 

Contractors and subcontractors

The responsibilities of all contractors and subcontractors include, but are not limited to, the following:

• Provide information to HHS to inform breach assessment and response (see Guidance section)
• When required and approved by the HHS SAOP, notify any potentially affected individuals when PII created, collected, stored, maintained, disseminated, disclosed, or disposed of on behalf of HHS is involved in a breach (see Annual reporting section)

CMS Breach Response Team

The CMS Breach Response Team is a group of officials convened to assist the CMS Head with the CMS’s response to a breach. CMS Breach Response Teams must consist of, at a minimum, CMS Senior Official for Privacy (SOP), CMS Chief Information Officer (CIO), CMS Chief Information Security Officer (CISO), CMS legal counsel, CMS legislative affairs official, and CMS communications official. The responsibilities of CMS Breach Response Teams include, but are not limited to, the following:

• At a minimum, convene for any breach that will be submitted to the HHS Breach Response Team (see Investigating and responding to breaches involving contractors section) 
• For any breaches where a single breach affects multiple CMSs, investigate and mitigate the breach as it pertains to their CMS, including enforcing contractual requirements and providing all requested information to the HHS Breach Response Team to enable accurate and consistent reporting pursuant to FISMA. (see Information sharing in response to a breach section)
• In coordination with Affected Program Offices and the CMS SOP, assess whether the data involved in a breach is PII to determine this Policy’s applicability (see Countermeasures section)
• In coordination with the Affected Program Office, seek additional information, as necessary, to reconcile or eliminate duplicate records, identify potentially affected individuals, or obtain contact information to provide notification (see Information sharing in response to a breach section)
• For all breaches involving contractors and subcontractors, review the contract to determine the privacy compliance and breach response obligations the contractor or subcontractor has pursuant to the contract (see Guidance section)
• In coordination with the Affected Program Office, must identify what additional reporting requirements may apply to the breach (see Identifying Requirements for Additional Reporting section)
• Coordinate with the HHS Breach Response Team to identify whether reporting to law enforcement, Office of Inspector General, and/or Office for Civil Rights is appropriate or required (see Identifying Requirements for Additional Reporting section)
• When a report to law enforcement is warranted, ensure that the report occurs promptly even if a breach is unconfirmed or circumstances are still unclear (see Identifying Requirements for Additional Reporting section)
• Conduct and document a comprehensive assessment of the potential risk of harm to individuals potentially affected by a breach (see Assessing the potential risk of harm to affected individuals section)
• Approve all response plans and draft notification letters prior to submittal to the HHS Breach Response Team  (see Timeliness of the notification section)
• Investigate and mitigate breaches posing a low risk of potential harm to potentially affected individuals and submit the results thereof to PIM for review (see Source of notifications for breaches involving contractors section)
• In coordination with the Affected Program Office, attend the HHS Breach Response Team meeting to respond to questions about its CMS’s breach and its investigation and mitigation (see Timeliness of the notification section)
• With the HHS Breach Response Team’s review and affirmation, determine how best to mitigate the risk of harm to individuals potentially affected by a breach and document the actions HHS will take to mitigate that risk (see Responding to a breach constituting a major incident section)
• Consider the assessed risk of harm and make a recommendation to the HHS Breach Response Team on whether to notify individuals potentially affected by a breach (see Annual reporting section)
• For a breach that potentially affects a large number of individuals, or as otherwise appropriate, in coordination with the Affected Program Office and approved by the HHS Breach Response Team, establish toll-free call centers staffed by trained personnel to handle inquiries from the potentially affected individuals (see Contents of the notification section)
• In consultation with the Affected Program Office and CMS Breach Response Team, consider whether it is appropriate to establish an ongoing communication method for interested individuals to automatically receive updates in instances where there is an ongoing investigation and the facts and circumstances of a breach are evolving (see Methods of notification section)
• In consultation with the Affected Program Office and HHS Breach Response Team, update the addresses of individuals being notified by consulting with other agencies such as the U.S. Postal Service if there is reason to believe the known address is no longer current (see Methods of notification section)
• In consultation with the HHS Breach Response Team and the Affected Program Office, give special consideration to providing notice to vulnerable populations and individuals who are visually or hearing impaired (see Special Considerations section)
• Alert PIM and CSIRC as soon as possible and without delay, if a breach has the potential to be a major incident as defined by OMB or to otherwise draw significant media, public, or Congressional interest (see CMS Administrator section)
• With HHS SAOP approval, and in coordination with the HHS Breach Response Team, consult with CISA and/or the OMB Office of the Federal CIO (OMB OFCIO) to obtain their guidance as to whether a breach should be considered a major incident (see CMS Administrator section)
• With approval of the HHS SAOP, determine that there is a reasonable basis to conclude that a breach is a major incident (see Contractors and subcontractors section)
• Provide updates on the major incident response at a cadence determined by the HHS SAOP (see Contractors and subcontractors section)
• Develop, and submit to the HHS Breach Response Team for approval, a major incident response plan, including points of contact and timelines (see Contractors and subcontractors section)
• Support the HHS SAOP with informing CISA and OMB Office of the Federal CIO (OFCIO) of a major incident within one hour of that determination (see CMS Breach Response Team section)
• In coordination with the HHS Breach Response Team, ensure all appropriate CMS representatives participate in briefing calls with CISA and OMB OFCIO (see CMS Breach Response Team section)
• Develop the initial report of a major incident to Congress and HHS OIG and submit it to the HHS Breach Response Team for approval (see CMS Chief Information Security Officer section)
• Develop and submit to the HHS Breach Response Team for approval any supplemental reports to Congress and OIG (see Supplemental reporting to Congress section)

CMS Chief Information Security Officer (CISO)

The responsibilities of CMS CISO include, but are not limited to, the following:

• In collaboration with the HHS CISO, assist with ascertaining whether information was properly encrypted when evaluating the likelihood of access and use of PII potentially compromised by a breach (see Security safeguards section)

CMS Senior Official for Privacy (SOP)

CMS Senior Officials for Privacy (SOP) manage the implementation of privacy requirements within their CMS on behalf of the HHS SAOP.  CMS SOPs must have the position, authority, and expertise necessary to lead and direct the CMS’s privacy program and carry out the privacy-related functions described in law and OMB policies. The responsibilities of the CMS SOP include, but are not limited to, the following:

• Serve as a member of the CMS Breach Response Team (see Investigating and responding to breaches involving contractors section) 
• In coordination with Affected Program Offices and the CMS Breach Response Team, assess whether the data involved is PII (see Countermeasures section)
• Ensure that appropriate subject matter experts who can identify additional breach reporting requirements are part of the CMS Breach Response Team (see Guidance section)
• In coordination with the Affected Program Office, identify all the applicable privacy compliance documentation, such as system of records notices (SORNs), privacy impact assessments (PIAs), and privacy notices (see Services section)

CMS Contracting Officer

For breaches involving a contractor or subcontractor, the responsibilities of the relevant Contracting Officer, include, but are not limited to, the following:

• Serve on the CMS Breach Response Team (see Investigating and responding to breaches involving contractors section) 
• Coordinate communication with the contractor (see Guidance section)
• Participate in all discussions, meetings, and communications with the contractor regarding the breach (see Guidance section)
• Serve as the authority on the contractor’s privacy compliance and breach response obligations pursuant to the contract (see Guidance section)
• Provide direction to the contractor as approved by the CMS Breach Response Team and, when necessary, the HHS Breach Response Team (see Guidance section)

Affected Program Offices

For the purposes of this Plan, an Affected Program Office is the organization where the breach occurred, or if the breach occurred at a non-HHS entity managing federal information or a federal information system on behalf of HHS, the organization with programmatic oversight of that entity. The responsibilities of the Affected Program Office include, but are not limited to, the following:

• Serve on the CMS Breach Response Team (see Investigating and responding to breaches involving contractors section) 
• In coordination with the CMS SOP and the CMS Breach Response Team, assess whether the data involved is PII (see Countermeasures section)
• Confirm whether the data involved in a potential or confirmed breach is federal data (see Countermeasures section)
• For all breaches involving contractors or subcontractors, confirm the Contracting Officer is aware of the breach (see Guidance section)
• In coordination with the CMS SOP, identify all the applicable privacy compliance documentation, such as system of records notices (SORNs), privacy impact assessments (PIAs), and privacy notices on information collection instruments related to the breach (see Services section)
• In coordination with the CMS Breach Response Team, seek additional information, as necessary, to reconcile or eliminate duplicate records, identify potentially affected individuals, or obtain contact information to provide notification (See Information sharing in response to a breach section)
• In coordination with the CMS Breach Response Team, must identify what, if any, additional reporting requirements may apply to the breach (see Identifying Requirements for Additional Reporting section)
• In coordination with the CMS Breach Response Team, develop a robust response plan and a draft notification letter(s). The Affected Program Office must obtain CMS Breach Response Team approval for the draft notification letter(s) prior to submitting them to the HHS Breach Response Team. Any follow-up notification letters must also be approved (see Timeliness of the notification and Annual reporting sections)
• Provide a representative(s) to participate in the HHS Breach Response Team meeting(s) (see Investigating and responding to breaches involving contractors and Timeliness of the notification sections)  
• Obtain HHS Breach Response Team approval prior to issuing notifications or services to potentially affected individuals (see Timeliness of the notification, Responding to a breach constituting a major incident and Annual reporting sections)
• For a breach that potentially affects a large number of individuals, or as otherwise appropriate, the Affected Program Office, in coordination with the CMS Breach Response Team and approved by the HHS Breach Response Team, should establish toll-free call centers staffed by trained personnel to handle inquiries from the potentially affected individuals (see Contents of the notification section)    
• Provide notification in the appropriate languages to the extent feasible if it is known that the potentially affected individuals, or a subset thereof, are not English speaking or require translation services (see Contents of notification section)         
• In consultation with the CMS Breach Response Team and HHS Breach Response Team, update the addresses of individuals being notified by consulting with other agencies such as the U.S. Postal Service, if there is reason to believe the known address is no longer current (see Methods of notification section)hear
• In consultation with the HHS Breach Response Team and CMS Breach Response Team, consider whether it is appropriate to establish an ongoing communication method for interested individuals to automatically receive updates in instances where there is an ongoing investigation and the facts and circumstances of a breach are evolving (see Methods of notification section)
• In consultation with the HHS Breach Response Team and CMS Breach Response Team, give special consideration to providing notice to vulnerable populations and individuals who require special consideration, such as individuals who are visually or hearing impaired (see Special considerations section)    

Notifying Official 

The responsibilities of the Notifying Official include, but are not limited to, the following:

1. With the approval of the HHS Breach Response Team, notify individuals potentially affected by a particular breach of services offered to mitigate the risk of harm (see Annual reporting section)
2. When a breach affects a vulnerable population, consider the need to provide a different type of notification to that population or provide a notification that would otherwise not be necessary  (see Special considerations section)     

Attachment A: Assessing the risk of harm 

In accordance with OMB M-17-12 Preparing for and Responding to a Breach of Personally Identifiable Information, this attachment provides additional guidance regarding assessing the risk of harm to individuals potentially affected by a breach and examples of guidance and services HHS may offer those individuals.

Factors for assessing the risk of harm to potentially affected individuals

At a minimum, CMS Breach Response Teams must consider the following factors when assessing the risk of harm to individuals potentially affected by a breach: nature and sensitivity of PII; likelihood of access and use of PII; and type of breach. The factors are discussed in more detail below.

Nature and sensitivity of PII

At a minimum, CMS Breach Response Teams must consider the following when assessing the nature and sensitivity of PII potentially compromised by a breach.

Data elements

CMS Breach Response Teams must evaluate the sensitivity of each data element. Certain data elements are particularly sensitive and may alone present an increased risk of harm to the individual. These data elements include, but are not limited to, Social Security numbers (SSNs), passport numbers, driver’s license numbers, state identification numbers, bank account numbers, passwords, alien registration numbers, and biometric identifiers.

In addition to evaluating the sensitivity of each data element, CMS Breach Response Teams must also evaluate the sensitivity of all the data elements together. Sometimes multiple pieces of information, none of which are particularly sensitive in isolation and would not present a risk of harm to the individual, may present an increased risk of harm to the individual when combined.  For example, date of birth, place of birth, address, and gender may not be particularly sensitive alone, but when combined would pose a greater risk of harm to the individual.

When assessing the nature and sensitivity of potentially compromised PII, CMS Breach Response Teams should not limit the scope of the evaluation to the sensitivity of the information involved in the breach. CMS Breach Response Teams must also consider information that may have been potentially compromised in a previous breach, as well as any other available information that when combined with the information may result in an increased risk of harm to the individuals.

Context

The CMS Breach Response Teams must consider the context, which includes the purpose for which the PII was collected, maintained, and used. This assessment is critical because the same information in different contexts can reveal additional information about the impacted individuals. For example, a list of personnel and their associated office phone numbers may not be particularly sensitive. However, the same list of personnel and their associated office phone numbers on a list of personnel who receive specific health benefits, such as mental health counseling, is sensitive information. Similarly, the same list of names and associated phone numbers on a list of individuals, along with information about a medical condition, is also sensitive.

Private information

CMS Breach Response Teams must evaluate the extent to which the PII constitutes information that an individual would keep private. Such “private information” may not present a risk of identity theft or other criminal conduct, but may pose a risk of harm such as embarrassment, blackmail, or emotional distress. Examples of private information include: derogatory personnel or criminal information; personal debt and finances; medical conditions; treatment for mental health or substance abuse disorder; pregnancy-related information, including pregnancy termination; sexual history or sexual orientation; adoption or surrogacy information; and immigration status. Passwords are another example of private information that, if involved in a breach, may present a risk of harm.

Vulnerable populations

CMS Breach Response Teams must consider whether the potentially affected individuals are from a particularly vulnerable population that may be at greater risk of harm than the general population. Potentially vulnerable populations include but are not limited to: children, active duty military, government officials in sensitive positions, senior citizens, individuals with disabilities, confidential informants, witnesses, certain populations of immigrants, non-English speakers, and victims of certain crimes such as identity theft, child abuse, trafficking, domestic violence, or stalking. This is not a comprehensive list, and other populations may also be considered vulnerable.

Permanence

CMS Breach Response Teams must consider the permanence of the PII, which includes an assessment of the relevancy and utility of the information over time and whether the information will permanently identify an individual. Some information loses its relevancy or utility with time, while other information is likely to apply to an individual throughout his or her life. For example, an individual’s health insurance ID number can be replaced. However, information about an individual’s health, such as family health history or chronic illness, may remain relevant for an individual’s entire life, as well as the lives of his or her family members.

Biometric information, including fingerprints, hand geometry, retina or iris scans, and DNA or other genetic information, should be given special consideration. When considering the nature and sensitivity of biometric information, CMS Breach Response Teams should factor in the known current uses of the information and consider that, with future advancements in science and technology, biometric information could have many additional uses not yet contemplated.

Likelihood of access and use of PII

CMS Breach Response Teams must consider the following when assessing the likelihood of access and use of PII potentially compromised by a breach.

Security safeguards

CMS Breach Response Teams, in consultation with appropriate security staff, must evaluate the implementation and effectiveness of security safeguards protecting the information. Security safeguards, when implemented properly, may significantly reduce the risk of harm to potentially affected individuals, even when the breached PII is highly sensitive. CMS Breach Response Teams must consider each of the employed security safeguards on a case-by-case basis and consider whether the type, value, or sensitivity of the information might motivate a malicious actor to put time and resources towards overcoming those safeguards.

When evaluating the likelihood of access and use of encrypted PII potentially compromised by a breach, CMS Breach Response Teams must confirm: 

• Whether encryption was in effect 
• The degree of encryption 
• At which level (device, file, or at-rest or in transit) the encryption was applied 
• Whether decryption keys were controlled, managed, and used. 

The protection provided by encryption may be undermined if keys, credentials, or authenticators used to access encrypted information are compromised. The HHS Chief Information Security Officer (CISO) and CMS CISO may help ascertain whether information was properly encrypted or otherwise safeguarded when evaluating the likelihood of access and use of PII potentially compromised by a breach.

Format and media

CMS Breach Response Teams must evaluate whether the format or media of the PII may make it difficult or resource-intensive to use. The format of the PII or the media on which it is maintained may make the PII more susceptible to a crime of opportunity. For example, a spreadsheet on a portable USB flash drive does not require any special skill or knowledge to access, and an unauthorized user could easily search for specific data fields such as an SSN.  Conversely, a magnetic tape cartridge used for backing up servers that contains a large volume of unstructured PII would require special expertise and equipment to access and use. 

CMS Breach Response Teams must also consider the type, value, or sensitivity of the PII. If the PII is particularly valuable, its value may outweigh the difficulty and resources needed to access the information, regardless of format or media.

Duration of exposure

CMS Breach Response Teams must consider the amount of time that the PII was exposed. PII that was exposed for an extended period of time is more likely to have been accessed or used by unauthorized users. For example, a briefcase containing PII left in a hotel lobby for an hour before being recovered is less likely to have been accessed by an unauthorized user than if it had been left for three days prior to being recovered. Similarly, PII inadvertently published to a public Internet page for an hour before being removed is less likely to have been accessed by an unauthorized user than if it had been available on the public Internet page for a week.

Evidence of misuse 

CMS Breach Response Teams must determine whether there is evidence of misuse.  In some situations, an agency may be able to determine with a high degree of certainty that PII has been or is being misused. Evidence may indicate that identity theft has already occurred as a result of a specific breach or that the PII is appearing in unauthorized external contexts. For example, law enforcement may confirm that PII is appearing on a website dedicated to the sale of stolen PII and may determine that there is strong evidence of misuse. Conversely, agencies may determine with reasonable certainty that the PII will not be misused. For example, a forensic analysis of a recovered device may reveal that the PII was not accessed.

Type of breach

Different types of breaches may pose different risks. CMS Breach Response Teams must consider the following when determining the type of breach.

Intent

CMS Breach Response Teams must consider whether the breach was intentional, unintentional, or whether the intent is unknown. If a breach was intentional, CMS Breach Response Teams should determine whether the information was the target, or whether the target was the device itself, like a mobile phone or laptop, and whether the compromise of the information was incidental. 

Examples of an intentional breach include the theft of a device storing PII from a car or office, the unauthorized intrusion into a government network that maintains PII, or an employee looking up a celebrity’s file in an agency database out of curiosity. While the risk of harm to individuals may often be lower when the information was not the target, the potential for a significant risk of harm to individuals may still exist.

The risk of harm to individuals may be lower when a breach is unintentional, either by user error or sometimes by failure to comply with agency policy. However, that is not always the case, and CMS Breach Response Teams must conduct a case-by-case assessment to determine the risk of harm. Examples of an unintentional breach include an employee accidentally emailing another individual’s PII to the wrong email address or storing personnel files in a shared folder that was thought to be access-controlled but was not.

In many circumstances, CMS Breach Response Teams may be unable to determine whether a breach was intentional or unintentional. In these instances, CMS Breach Response Teams must consider the possibility that the breach was intentional. For example, if an employee realizes her mobile device is missing, it may be that it was stolen intentionally or that she dropped it accidentally. Similarly, a shipment of files containing PII that never arrives at its destination may have been unintentionally lost or may have been intercepted by a malicious actor. 

For breaches that have been reported to law enforcement, CMS Breach Response Teams must consider any relevant information provided to the agency by law enforcement that may help inform whether the breach was intentional or unintentional.

Recipient

In some cases, CMS Breach Response Teams may know who received the compromised PII.  This information, when available, may help CMS Breach Response Teams assess the likely risk of harm to individuals. For example, a breach is often reported by a recipient who receives information he or she should not have. This may be an indication of a low risk of harm to individuals, particularly when the recipient is another employee within HHS’s IT network. 

One common type of low-risk breach is when an HHS employee sends an individual’s PII via email to another HHS employee who does not need to know that PII for his or her duties. In many such cases, it may be reasonable to conclude that there is a negligible risk of harm. Even where PII is inadvertently sent to an individual outside HHS, the risk of harm may be minimal if it is confirmed that, for example, the individual is known to HHS, acknowledged receipt of the PII, did not forward or otherwise use the PII, and the PII was properly, completely, and permanently deleted by the recipient. This is a breach that must be reported within HHS and appropriately responded to, but the risk of harm is low enough that the response often does not necessitate that HHS notify or provide services to the individual whose PII was compromised. 

Conversely, if analysis reveals that the PII is under the control of a group or person who is either untrustworthy or known to exploit compromised information, the risk of harm to the individual is considerably higher. In many cases, CMS Breach Response Teams will not have any information indicating that compromised or lost PII was ever received or acquired by anyone. In such circumstances, the CMS Breach Response Teams must rely upon the other factors set forth in this section.

Summary of factor for risk of harm

Nature and sensitivity of Personally Identifiable Information (PII) 

Likelihood of access and use of PII

Type of breach 

Attachment B: Examples of guidance and services HHS may offer

Active duty alert: Service members who deploy can place an active duty alert on their credit reports to help minimize the risk of identity theft. These types of alerts on a credit report mean businesses must take extra steps before granting credit to an individual. Active duty alerts last for one year and can be renewed by the service member to match the period of their deployment. 

Credit freeze: A credit freeze restricts access to an individual’s credit report. When offering this type of guidance, CMS Breach Response Teams should be aware that because access to a credit report is usually required by creditors, a credit freeze can prevent creditors from approving a new account. 

Credit freezes for children: Guardians are sometimes able to place a freeze on a child’s credit, even if the child does not yet have a credit history. Several states mandate that all credit bureaus provide this option. Outside those states, the option may still be available depending on the credit bureau. In these instances, guardians may have to provide additional information about themselves as well as the child to show the relationship. 

Closing or changing accounts: Individuals should immediately dispute any unauthorized charges to existing accounts, including closing or changing account numbers so that unauthorized activity does not continue. This will not prevent new unauthorized accounts of which individuals may be unaware. 

Obtaining a free credit report: HHS may recommend that individuals obtain a free credit report yearly from each of the three national credit bureaus (Equifax, Experian, and Trans Union) from annualcreditreport.com or by calling the credit reporting agencies’ toll-free numbers. HHS may recommend that individuals review their credit reports for any accounts they do not recognize. 

Cyber hygiene: CMS Breach Response Teams may also consider providing individuals with resources on good cyber hygiene (e.g., setting up multi-factor authentication, using complex passwords). Resources include: DHS’s STOP.THINK.CONNECT. Campaign or the Federal Trade Commission’s Online Privacy and Security.

Deceased alerts regarding deceased individuals: Deceased individuals can be at heightened risk for identity fraud that may impact the deceased individual’s estate. This creates liability for a surviving spouse if, for example, his or her name is on joint accounts. To prevent this, CMSs could consider recommending that death certificates be sent to the Internal Revenue Service (IRS) as well as the major credit bureaus, with a request to place a “deceased alert” on the account to prevent new activity. 

Fraud alert: A fraud alert tells creditors that they must take reasonable steps to verify the identity of the individual who is applying for credit. A fraud alert also allows individuals to order one free copy of the individual’s credit report from each of the three national credit bureaus. To place this alert, HHS may recommend that individuals contact one of the three national credit bureaus, which must then notify the others. The initial fraud alert stays on the credit report for 90 days and can be renewed. 

Resources on the FTC site: The Federal Trade Commission (FTC) provides free identity theft resources for individuals on their website as well as community leaders, businesses, advocates, and law enforcement to share in their communities. The website includes resources on proactive steps individuals can take to monitor and protect their information and educate themselves on the different types of identity theft and the resources available to protect against and recover from identity theft.

IdentityTheft.gov: The Federal Government’s one-stop resource for identity theft victims.  Individuals can use the website to report identity theft and get a personalized recovery plan that walks them through each step, updates the plan as needed, and pre-fills letters and forms. It also advises individuals on steps they can take to prevent identity theft when they receive notice that their PII has been compromised. The website is managed by the FTC and is integrated with the FTC’s complaint system, which makes the complaint information available to law enforcement across the country through Consumer Sentinel, a secure online database available to law enforcement. 

Tax fraud: HHS may consider recommending that individuals file an IRS Identity Theft Affidavit (Form 14039) to prevent an identity thief from using compromised PII to falsely claim the individual’s tax refund.

Examples of services HHS may offer

Credit monitoring: Many companies, including credit reporting agencies, offer this service as a subscription for a defined period of time. The service includes monitoring an individual’s credit report and notifying the potentially affected individual, usually via email, when new activity is reported to their credit report. Credit monitoring notifies individuals that compromised information may have been used to open a new credit account using their information. It does not monitor other non-credit-based risks for misuse of compromised information. 

Identity monitoring: These services monitor the use of an individual’s overall identity beyond information contained in a credit report. This monitoring tracks whether the individual’s information has been exposed online, in addition to monitoring other databases, which may include information related to change of address, court records, payday loans, health, criminal, and other identifying information beyond just financial credit information. These more comprehensive services mitigate the risks of the non-credit identity thefts outlined above. Each company provides different monitoring services, so CMS Breach Response Teams must ensure that monitoring options are appropriate, given the compromised information. The effectiveness of the monitoring will depend on factors such as the databases monitored, the amount and accuracy of the information in the databases, and how often the company checks the databases. 

Full-service identity counseling and remediation services: These are additional services that provide trained counselors or case managers to help individuals recover from identity theft. The services may include assisting individuals with preventing pre-screened offers of credit, helping consumers dispute charges, and removing fraudulent information, and providing legal assistance.  Generally, individuals authorize companies offering these services to act on their behalf. 

Identity theft insurance: Insurance reimburses individuals for certain losses resulting from identity theft. Generally, this insurance covers only out-of-pocket expenses directly associated with recovery from identity theft. Typically, these are limited to things like postage, copying and notary costs. Some policies cover lost wages or legal fees. Normally, these policies do not provide reimbursement for any funds that are stolen as a result of the identity theft. CMS Breach Response Team must understand what they are purchasing and communicate clearly with any guidance provided, the details of what the insurance covers, as well as any limitations and exclusions to the potentially affected individuals.

Attachment C: Methods of notification 

• First-class mail: First-class mail notification to the last known mailing address of the individual in HHS records should be the primary means by which notification is provided. Where the Affected Program Office, in consultation with the CMS Breach Response Team and HHS Breach Response Team, have reason to believe the address is no longer current, they should take reasonable steps to update the address by consulting with other agencies such as the U.S. Postal Service. The notification should be sent separately from any other mailing so that it is conspicuous to the recipient. If the CMS issuing the letter uses another agency to facilitate mailing, care should be taken to ensure that the CMS issuing the letter is identified as the sender, and not the facilitating agency.  The front of the envelope should be labeled to alert the recipient to the importance of its contents and should be marked with CMS as the sender to reduce the likelihood that the recipient thinks it is advertising mail. The CMS should anticipate mail returned as undeliverable and should have procedures in place for how to provide a secondary notification.
• Telephone: Telephone notification may be appropriate in those cases where urgency may dictate immediate and personalized notification or when a small number of individuals are affected. Telephone notification, however, should be contemporaneous with written notification by first-class mail.
• Email: Email notification, especially to or from a non-government email address, is not recommended due to the malicious email attacks that are often launched when attackers hear about a breach. Emails often do not reach individuals because they are automatically routed to spam or junk mail folders. Individuals who receive notifications via email are often uncertain of the legitimacy of the email and will not open the notification. While email is not recommended as the primary form of notification, in limited circumstances it may be appropriate. For example, if the individuals potentially affected by a breach are internal to HHS, it may be appropriate for the Notifying Official to use an official email address to notify a small number of employees, contractors, detailers, or interns via their official HHS email addresses. A “.gov” or “.mil” email may be used to notify an individual on his or her “.gov” or “.mil” email that his or her PII was potentially compromised by a breach. The HHS Breach Response Team will only consider notification by email in rare and limited circumstances and only with final approval by the HHS Breach Response Team. 
• Substitute notification: The Notifying Official may provide substitute notification if the agency does not have sufficient contact information to provide notification, and also as supplemental notification for any breach to keep potentially affected individuals informed. This type of notice may also be beneficial if the Notifying Official needs to provide an immediate or preliminary notification in the wake of a high-profile breach when notification is particularly time sensitive. A substitute notification should consist of a conspicuous posting of the notification on HHS.gov and/or notification to major print and broadcast media, including major media in areas where the potentially affected individuals reside. Notification to the media should include a toll-free phone number and/or an email address that an individual can use to learn whether his or her personal information is affected by the breach. In instances where there is an ongoing investigation and the facts and circumstances of a breach are evolving, the HHS Breach Response Team and CMS Breach Response Team should consider whether it is appropriate to establish an ongoing communication method for interested individuals to automatically receive updates. Depending on the individuals potentially affected and the specific circumstance of a breach, it may be necessary for the Notifying Official to provide notifications in more than one language. Additionally, and as appropriate, covered entities must act in accordance with notification obligations under HIPAA.

Appendix A: Specific requirements from HHS

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

HHS breach response policy guidance 

This Guidance expands on the requirements established in the HHS Policy for Preparing for and Responding to a Breach of Personally Identifiable Information (hereafter HHS Policy). Breach response procedures are found in the HHS Breach Response Plan.

HHS and CMS breach response plans 

CMS must develop and implement its own breach response plan. The CMS Breach Response Plan must be approved by the HHS SAOP and consistent with the HHS Breach Response Plan, OMB guidance, and applicable law. The CMS Breach Response Plan must clearly detail the relationship between the CMS-level plan and the HHS Breach Response Plan. The CMS Breach Response Plan must include the following information:

• The relationship between the CMS-level plan and the HHS Breach Response Plan
• CMS officials who comprise the CMS Breach Response Team, as well as their respective roles and responsibilities 
• Applicable privacy compliance documentation
• Processes for information sharing within HHS, between Federal agencies, or with a non-Federal entity
• Reporting requirements
• The factors and approach to assessing the risk of harm to potentially affected individuals
• Strategies for mitigating the risk of harm to potentially affected individuals
• Approaches to notifying potentially affected individuals

The CMS Breach Response Plan must be reviewed no less than annually by the CMS SOP and CMS Breach Response Team, updated if necessary, and the date of review must be documented in the plan.

Privacy Act System of Records Notice requirements 

As per the HHS Policy, all Privacy Act System of Records Notices (SORNs), must include the following routine uses for the disclosure of information necessary to respond to a breach of PII.

The language must be as follows: 

To facilitate the agency's response to a suspected or confirmed breach of its own records: 

“To appropriate agencies, entities, and persons when (1) HHS suspects or has confirmed that there has been a breach of the system of records; (2) HHS has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HHS (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HHS’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.”

To disclose records in their systems of records that may reasonably be needed by another agency in responding to a suspected or confirmed breach: 

“To another Federal agency or Federal entity, when HHS determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.”

Contract and contractor requirements

In accordance with the HHS Policy, the following language must be incorporated into any contracts with entities that collect, maintain, use, or operate Federal information or information systems on behalf of HHS (including on behalf of CMS). 

• The contractor must cooperate with and exchange information with HHS officials, as deemed necessary by the HHS Breach Response Team or CMS Breach Response Team, to report and manage a suspected or confirmed breach. 
• All contractors and subcontractors must properly encrypt PII in accordance with OMB Circular A-130 and other applicable policies, including CMS-specific policies, and comply with HHS-specific policies for protecting PII. 
• All contractors and subcontractors must participate in regular training on how to identify and report a breach. 
• Contractors must report suspected breaches within one hour of discovery and must fully cooperate in investigations, including providing necessary information or forensic artifacts, consistent with the HHS Policy for Information Technology Procurements – Security and Privacy Language applicable HHS IT acquisitions guidance, HHS incident management policy, and United States Cybersecurity and Infrastructure Security Agency (CISA) notification guidelines.
• All contractors and subcontractors must be able to determine what Federal information was or could have been accessed and by whom, construct a timeline of user activity, determine methods and techniques used to access Federal information, and identify the initial attack vector. 
• All contractors and subcontractors must allow for an inspection, investigation, forensic analysis, and any other action necessary to ensure compliance with this Policy and the HHS Breach Response Plan, and to assist with responding to a breach. 
• Cloud service providers must use the guidance provided in the FedRAMP Incident Communications Procedures (PDF) when deciding whether to report directly to CISA first or notify HHS first.
• The contract must identify roles and responsibilities, in accordance with this Policy and the HHS Breach Response Plan. 
• The contract must acknowledge that HHS will not interpret a report of a breach, by itself, as conclusive evidence that the contractor or its subcontractor failed to provide adequate safeguards for PII. 

Tracking and documenting the response to a breach

HHS will maintain a standard internal reporting template within its Breach Response Tool to track and monitor: 

• The total number of breaches reported over a given period of time
• The status for each reported breach, including whether HHS’s response to a breach is ongoing or has concluded
• The number of individuals potentially affected by each reported breach
• The types of information potentially compromised by each reported breach
• Whether HHS, after assessing the risk of harm, provided notification to the individuals potentially affected by a breach
• Whether HHS, after considering how best to mitigate the identified risks, provided services to the individuals potentially affected by a breach
• Whether a breach was reported to CISA and/or Congress

CMS while not using the HHS Breach Response Tool must provide the information above, as well as any other requested information, to HHS CSIRC and PIM in a format and cadence approved by the HHS SAOP.

On behalf of the HHS SAOP, at the end of each quarter, CMS SOPs must review the status of each breach reported during the fiscal year. CMSs are responsible for reviewing and validating the report for accuracy. Reports must be provided to the HHS SAOP upon request.

Annual reviews and FISMA reports

In accordance with the HHS Policy, at the end of each fiscal year, each CMS SOP must review the quarterly reports and make recommendations to the CMS Breach Response Team as to whether any modifications to the CMS Breach Response Plan, policies pertaining to PII, trainings, information-sharing agreements, SORNs, Privacy Impact Assessments (PIAs), or privacy policies are needed. The CMS Breach Response Team must review the CMS SOP recommendations and ensure that the CMS Breach Response Plan is current, accurate, and reflects any changes in law guidance, standards, HHS policy, procedures, staffing, or technology. 

CMS SOPs must submit their findings to PIM, who will compile a report for the HHS SAOP and HHS Breach Response Team. The report must include any recommendations for updates to the HHS Breach Response Plan.

Definitions:

• Affected Program Office: The organization where the breach occurred, or if the breach occurred at a non-HHS entity managing federal information or a federal information system on behalf of HHS, the organization with programmatic oversight of that entity. (Defined in the HHS Policy for Preparing for and Responding to a Breach of PII)
• Breach: The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where: (1) a person other than an authorized user accesses or potentially accesses personally identifiable information, or (2) an authorized user accesses personally identifiable information for an other than authorized purpose. (Defined in OMB M-17-12, Preparing for and Responding to a Breach of PII)
• Breach Response Plan: The agency's formal document that includes the policies and procedures that must be followed with respect to reporting, investigating, and managing a breach. (Modified from OMB M-17-12, Preparing for and Responding to a Breach of PII)
• Federal Information: Information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form. (Defined in OMB Circular A-130, Managing Information as a Strategic Resource) 
• Federal Information System: An information system used or operated by an agency, by a contractor of an agency, or by another organization on behalf of an agency. (Defined in OMB Circular A-130, Managing Information as a Strategic Resource)
• Breach Response Team: The group of agency officials designated by the head of the agency that may be convened to respond to a breach.  Once convened, the SAOP is responsible for leading the Breach Response Team’s response to a breach. (Defined in OMB M-17-12, Preparing for and Responding to a Breach of PII)
• High Value Asset: An agency may designate federal information or a federal information system as an HVA when it relates to one or more of the following categories: 
• Informational Value – The information or information system that processes, stores, or transmits the information is of high value to the Government or its adversaries. 
• Mission Essential – The agency that owns the information or information system cannot accomplish its Primary Mission Essential Functions (PMEF), as approved in accordance with Presidential Policy Directive 40 (PPD-40) National Continuity Policy, within expected timelines without the information or information system. 
• Federal Civilian Enterprise Essential (FCEE) – The information or information system serves a critical function in maintaining the security and resilience of the Federal civilian enterprise. 

While agencies are principally responsible for designating their HVAs, OMB and DHS may also designate HVAs at agencies based on potential impact to national security. (Defined in OMB M-19-03, Strengthening the Cybersecurity of Federal Agencies by enhancing the High Value Asset Program)

• Incident: An occurrence that: (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. (Defined in OMB M-17-12, Preparing for and Responding to a Breach of PII)
• Major Incident: A major incident is:

A. Any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. Agencies should determine the level of impact of the incident by using the existing incident management process established in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61, Computer Security Incident Handling Guide,

or

B. A breach that involves personally identifiable information (PII) that, if exfiltrated, modified, deleted, or otherwise compromised, is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States, or to the public confidence, civil liberties, or public health and safety of the American people. 

OMB further requires the determination of a major incident for any unauthorized modification of, unauthorized deletion of, unauthorized exfiltration of, or unauthorized access to the PII of 100,000 or more people. (Defined in OMB M-25-04, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements)

• Operating Division (CMS) Breach Response Teams: The group of CMS officials designated to convene to respond to a breach. (Defined in the HHS Policy for Preparing for and Responding to a Breach of PII)
• Personally Identifiable Information: Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (Defined in OMB Circular A-130, Managing Information as a Strategic Resource)
• Senior Agency Official for Privacy: The senior official, designated by the head of each agency, who has agency-wide responsibility for privacy, including implementation of privacy protections; compliance with Federal laws, regulations, and policies relating to privacy; management of privacy risks at the agency; and a central policy-making role in the agency's development and evaluation of legislative, regulatory, and other policy proposals. (Defined in OMB Circular A-130, Managing Information as a Strategic Resource)
• Senior Official for Privacy (SOP): Within their respective CMSs, SOPs are the officials responsible for implementing applicable federal and HHS privacy requirements, developing and evaluating HHS and CMS-specific privacy policy, and managing privacy risks consistent with HHS’s mission (Defined in HHS Memorandum Roles and Responsibilities of CMS SOPs)