It's Tuesday morning. You walk in. The receptionist hands you a sticky note: "IT called — there's something weird with the email." You assume it's spam, take your first patient, and get back to it after lunch. By Tuesday afternoon, someone tells you patient information may have been exposed for the past several days. What do you do next?
If your honest answer is "I'd call IT and figure it out," you're where most independent practices are. The Alabama OB/GYN practice that paid $900,000 last week was in exactly the same place. The breach itself wasn't extraordinary. What made it expensive was the 72 hours that followed.
What happened
Here's the story. An Alabama OB/GYN practice called Henderson & Walton Women's Center had its systems sitting open to an attacker for four days in February 2022 — between the 11th and the 14th. The attacker walked out with patient information: dates of birth, Social Security numbers, medical and health-insurance details, driver's license numbers.
Last Thursday, four years after the breach, the practice agreed to pay $900,000 to settle a class-action lawsuit from patients whose information had been exposed during those 96 hours. Eligible patients can claim up to $150 for ordinary losses (think bank fees, postage, signing up for credit monitoring on their own), up to $2,500 for documented extraordinary losses (think actual identity theft), plus three years of credit and medical monitoring. Final approval comes after a court hearing in August.
The lawsuit didn't have to prove the practice was negligent on purpose. It just had to show the practice didn't have what a reasonable practice should have had — specifically, evidence that they'd thought about this in advance.
Four years. From breach to settlement. $900,000. The breach took four days. The litigation took four years.
The gap
The settlement isn't because Henderson & Walton was breached. Practices get breached — your friend at the dental practice down the street got hit two years ago, the chiropractor up the road last fall. The settlement happened because of what wasn't documented in the 96 hours after February 11, 2022.
Plaintiff lawyers always show up with the same checklist. When did you find out? What did you do in the first day? Who did you tell? When? What did you tell each patient about what was exposed? What did you offer them — credit monitoring? identity-theft insurance? Where's the paperwork that proves any of it?
If you can answer those questions with dated, signed documents, the class action has less leverage. If you can't, you end up arguing that you tried to do the right thing without any contemporaneous proof of what "the right thing" was. That argument doesn't win.
There's a federal rule that says you have 60 days from the moment you discover a breach to notify each affected patient. Some states give you less — 30 days, sometimes 10. Your cyber-liability insurance probably requires you to notify them within 72 hours, or they don't cover the response. Each of those clocks starts the moment someone in your practice says "something is wrong."
Practices don't miss those clocks because they don't care. They miss them because nobody owns the timeline.
If you're already convinced — the Encrypted Chart Vault includes the breach response runbook this practice didn't have, plus five other operational documents. $299 for the full archive — less than three hours of a single attorney's time. Get the Vault →
Why a runbook actually solves this
A breach response runbook isn't a policy document you stick in a binder. It's a written playbook that turns the 72 hours after a breach into a sequence of decisions you've already made.
The runbook is organized around three windows: the first day, the first two weeks, and the first two months.
The first day. The runbook tells you exactly who to call, in what order. Spoiler: not your IT vendor first. The first call is to your cyber-liability insurance carrier — because most policies require that call within 72 hours, and the carrier coordinates everything else from there (the forensic team, outside counsel, the patient-notification platform). Then you isolate the compromised systems. Reset every shared password. Decide what you tell staff today, and what you don't yet tell patients (telling them too early can box you in legally). Every step gets logged with a date and a signature. That log is what defends you in court four years later.
Week one and two. By the end of week one, you need to know what was exposed, when, for how long, and whose information it was. The runbook walks through choosing a forensic vendor, preserving evidence, and one critical legal decision — whether to run the investigation under attorney protection so the report can't be subpoenaed by class-action plaintiffs years down the road. (The answer is usually yes.) What you decide in week one determines what's discoverable in year four.
Through day 60. The runbook contains the templates for the three notification streams you'll need: the affected patients, the federal regulator (HHS-OCR), and the state attorney general (sometimes more than one, depending on where your patients live). Each template names the data exposed, when you discovered the breach, what you did, what you're offering, and how patients can contact you. Notifications for any breach affecting 500 or more people have to go out within 60 days. Miss that, and the federal penalty cap multiplies.
This isn't theoretical. From a reader using the Vault:
“I was the listed Privacy Officer at my former, well-established group practice, and didn't think to add myself when I went solo. […] The Encrypted Chart Vault caught it on the very first document I audited, plus a few other nuances I needed to tighten.”
— Annemarie Hardgrove, LCSW-R, CYT · Former Co-Director of a Long Island Group Psychotherapy Practice; Now in Solo Practice
The thread that runs through all 60 days: documentation. Every call, every decision, every notification, every dollar — logged with a date and a signature. This is what a plaintiff firm sees when they decide whether your practice is worth filing against. A practice with a clean, documented runbook is a hard target. A practice without one is what Henderson & Walton was.
What to do this week
Three steps, in order:
One. Find what you currently have. Most practices have something — a one-page incident-response sheet from a webinar, an HR policy that mentions "unauthorized disclosures," something the cyber-liability carrier handed you at onboarding. Pull it all into one folder. If it doesn't have specific dated timelines for the first day, the first two weeks, and the first two months — it's a placeholder, not a runbook.
Two. Decide: write it yourself, or buy the calibrated version. Drafting a basic runbook from scratch is legitimate — 4-8 focused hours over a weekend gets you to a defensible first draft. For each window (first day, first two weeks, first two months), write two things: who's responsible for the action, and what specifically gets done. Sign it. Date it. Put it in a folder labeled "Breach Response Plan 2026." If you can't carve out the weekend — and most independent practitioners can't — the Encrypted Chart Vault includes the calibrated version. $299 for the full archive. The runbook alone is worth the price; the other five operational documents in there are the bonus.
Three. Tell your cyber-liability carrier you have one. This sounds small. It's not. A documented breach-response posture is what insurance underwriters look at when they price your policy at renewal. Practices that can hand the underwriter a written runbook save money on the premium before they ever have a breach.
The patients in the Henderson & Walton class action aren't getting paid because the practice was breached. They're getting paid because four years ago, in the 96 hours after the breach, the practice had no documented operational answer to the question "what do we do next." That's the gap the runbook closes.
Closing
The Encrypted Chart Vault includes the breach response runbook calibrated for independent practice — the first day / first two weeks / first two months timeline, the cyber-insurance carrier sequencing, the HHS-OCR and state attorney general notification templates, and the documentation log that becomes your evidence in litigation. It also includes the BAA review checklist for vendor contracts, the FTC pixel audit walkthrough, the annual risk assessment template, privacy policy and Notice of Privacy Practices templates, and patient intake plus telehealth consent language — six operational documents in one downloadable archive. National edition $299. New York edition $349 (adds SHIELD Act + state-specific addenda). Less than three hours of a single attorney's time.
The Alabama practice that paid $900,000 last week was a practice like yours. The breach took 96 hours. The settlement took four years. The runbook is what shrinks the second number.
|
The plan most practices don't have.
The Vault includes the breach response runbook calibrated for independent practice — plus five other operational documents (BAA review checklist, FTC pixel audit walkthrough, annual risk assessment, privacy policy and NPP templates, patient intake and telehealth consent language). National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
|
| With security, |
| Brad |
| Brad Lieberman, JD (retired), MSN, PMHNP-BC |
| Founder, The Encrypted Chart |
| www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder |
| Brad@encryptedchart.com |
- Townsel v. Henderson & Walton Women's Center, P.C., Alabama state court case CV-2024-900914. $900,000 class action settlement received preliminary approval March 24, 2026; final approval hearing scheduled August 12, 2026; claims deadline August 27, 2026. Coverage: ClassAction.org, May 28, 2026.
- 45 CFR § 164.404 — HIPAA Breach Notification Rule, Notification to Individuals (60-day clock from discovery). ecfr.gov/current/title-45/section-164.404
- HHS Office for Civil Rights, Breach Notification Rule resources. hhs.gov/hipaa/for-professionals/breach-notification
