What to do if your clinic has a data breach

A clinic data breach feels like a fire. The instinct is to panic, or to quietly hope it goes away. Both make it worse. What you actually need is a short, calm checklist you can follow when your hands are shaking. This is that checklist.

A breach is not only a hacker. It is a lost laptop in an auto-rickshaw. It is a patient's report emailed to the wrong person. It is ransomware locking your files. It is a receptionist opening a celebrity patient's records out of curiosity. All of these expose patient data, and all of them count.

This is a practical guide, not legal advice. The rules in India are real and they are changing, so treat this as the shape of a plan and confirm the specifics with a qualified advisor.

Step 1: Contain it

Stop the bleeding first. Before you investigate, before you tell anyone, limit how much more data can leak.

• Lost or stolen device: change the passwords for every account that device could reach. If you can remotely sign it out or lock it, do that.
• Compromised account: reset that password immediately and sign the account out everywhere. If a staff login was misused, suspend it.
• Ransomware or a suspicious infection: disconnect the affected machine from the internet and your network. Pull the cable or turn off the Wi-Fi. Do not pay anything yet, and do not let anyone "just restart it."
• Wrong-recipient email or message: try to recall it, and ask the recipient to delete it. Write down what you sent and to whom.

One rule sits above all of these: do not wipe, reformat, or reinstall anything. The instinct to "clean the machine" destroys the exact evidence you will need in the next steps and in any report you have to file.

Step 2: Work out the scope

Now find out how bad it is. You cannot notify people, or decide what you legally must do, until you know what was actually exposed.

Ask plain questions and write the answers down:

• What data was involved? Names and phone numbers are one thing. Diagnoses, prescriptions, lab results, and ID numbers are far more sensitive.
• How many patients? A single misdirected email is different from a database copied off a stolen server.
• When did it happen, and when did you notice? These are often different dates, and both matter.
• Is it still happening? Confirm that Step 1 actually stopped the leak.

Resist the urge to guess low. Underestimating the scope early is how clinics end up issuing a second, more embarrassing correction later.

Step 3: Preserve the evidence

Everything you learn in Step 2 rests on records that someone could overwrite or delete. Lock them down.

This is where your system's audit trail earns its keep. A good clinic system logs who created, viewed, edited, downloaded, or deleted each record, and when, with the user's name attached. When the incident is internal, say a staff member who looked at files they had no business opening, that history is how you reconstruct exactly which records that login touched and when.

Be honest with yourself about what an audit trail is, though. It is a forensic record you read after the fact, not an alarm that detects a breach for you. Avinya Plus logs this activity and keeps per-branch data isolated, so investigators have a clean, attributable trail to work from. It does not watch for intrusions or ping you when something looks wrong. That detection job is yours.

Practical preservation steps:

• Export or back up the relevant audit logs and records before anyone touches them.
• Take screenshots and photos. Note timestamps.
• Keep the affected device powered off and set aside, not "borrowed" by staff.
• Write a simple timeline as you go. Memory fades fast under stress.

For more on why this trail matters day to day, see our guide on audit trails for clinics.

Step 4: Notify the right people

Once you understand the scope, you have duties to several groups. The order and the exact wording can vary, so this is where a qualified advisor is worth their fee.

Your patients. The people whose data leaked usually deserve to know, in plain language, what happened, what was exposed, and what they should watch for. A clear, early message protects trust far better than silence that comes out later.

The Data Protection Board, under the DPDP Act. India's Digital Personal Data Protection Act, 2023 treats your clinic as a data fiduciary. When a personal data breach happens, the expectation is that you notify both the affected individuals and the Board. The operational rules and timelines are still being detailed, so confirm the current position before you rely on any specific deadline.

CERT-In, for cyber incidents. The Indian Computer Emergency Response Team, CERT-In, requires certain cyber security incidents, including data breaches and unauthorised access, to be reported. A six-hour reporting window from noticing the incident is widely cited from CERT-In's 2022 directions. Treat that number as a strong signal to move fast, not as gospel, and verify the current requirement against CERT-In's own latest directions, because these rules get revised.

Your team and, where relevant, your insurer or a forensic expert. A serious breach, particularly ransomware, is not a DIY job. Bring in help early.

A quick note on hedging deadlines: timelines like the six-hour CERT-In window and the DPDP notification expectations have changed before and may change again. The safe habit is to assume you must act quickly and to confirm the exact current rule at the moment you need it.

Step 5: Learn from it

After the immediate fire is out, do the boring, valuable part. Sit down and ask why it happened, and close that gap.

• Was a password shared or weak? Tighten access.
• Did someone see records they never needed? Review who has access to what, and tighten roles. Our guide on staff roles and access control covers how to think about this.
• Was a personal device carrying patient data? Decide what is allowed on personal devices, and write it down.
• Did the breach go unnoticed for weeks? That is a sign you should be reviewing your audit trail regularly, not only after a crisis.

The clinics that recover well are not the ones that never have an incident. They are the ones that respond calmly, tell the truth quickly, and fix the underlying cause.

How the right system helps before and after

You cannot buy your way out of every breach, and you should be suspicious of anyone who says you can. What the right system does is shrink the blast radius and make the cleanup honest.

Avinya Plus is built on a few security fundamentals that matter here: role-based access so people only see what their job needs, per-branch isolation enforced in the database through PostgreSQL Row Level Security so one location's data stays separate from another's, and a complete audit trail of every create, update, delete, view, and download with the user attached. Records are structured and exportable, which makes preserving evidence straightforward when you need it.

What it does not do, and what no honest vendor should claim for you, is detect intrusions, watch for ransomware, or respond to an incident on your behalf. Those remain your clinic's responsibility. The tooling gives you a clean, trustworthy record to investigate from. The plan, the calm, and the follow-through are yours.

For the bigger picture on protecting patient data day to day, start with our pillar guide on patient data security for clinics, and the practical companion on securing patient records in a small clinic. If you want to see how the access controls and audit trail fit together, our clinic data security page lays it out.