Form Not Applicable Not Applicable Notice of Breach of Health Information

Federal Trade Commission
The nation’s consumer protection agency

Notice of Breach of Health Information
OMB Control No: 3084-0150
(exp. 3/31/2016)

Are you in the business of offering or maintaining personal health records? Does your company offer products or services
that interact with personal health records – for example, an online weight tracking program that sends information to a
personal health record or pulls information from it? If that describes your line of work – and if you’re not covered by the
Health Insurance Portability & Accountability Act (HIPAA) – the law requires you to take steps if you’ve had a breach
involving information in a personal health record not secured in a certain way. Under the law, 16 C.F.R. Part 318, you
must:
1.
Notify everyone whose information was breached;
2.
In many cases, notify the media; and
3.
Notify the Federal Trade Commission (FTC).
The FTC has designed this form to make it easier for you to report a breach to us. For more on notifying the people
whose information was breached, visit www.ftc.gov/healthbreach.
For all breaches
Complete this form. Include your own contact information. Don’t include any personally identifiable information involved
in the breach.
You have two options for submitting the form.
(1) Send it to:
Federal Trade Commission
Associate Director – HBN
Division of Privacy & Identity Protection
600 Pennsylvania Avenue, N.W.
Mail Stop CC-8232
Washington, DC 20580
Verify that the form arrived at the FTC by using a mailing method that gives you proof of delivery.
(2) Transmit your submission through our secure file transmission system. To do so, you must send an email to
[email protected] (link sends e-mail) with the subject line “HBN – Request to Submit Document.” Do not
include any details about the breach or the notification form in this request. You should receive a reply email
within two business days with instructions for the secure electronic submission of encrypted documents.
Timelines These timelines refer to when you must notify the FTC of the breach. If the law requires you to contact the
people whose information was breached, you must notify them as soon as you can – and no later than 60 days after
discovering the breach.
For breaches involving the records of 500 or more people
Complete this form and send it to the FTC within 10 business days of discovering the breach.
For breaches involving the records of fewer than 500 people
Complete this form and send it to the FTC by the 60th day of the calendar year following the breach. For
example, if you discover a breach involving fewer than 500 people on June 30, 2009, send this form to the FTC
no later than 60 days into the calendar year of 2010. If you experience two breaches like this in one calendar
year – one on June 30th and another on November 1st – complete a separate form for each breach, staple them
together, and send them to the FTC no later than 60 days into the calendar year of 2010.

Questions? Call the FTC at (202) 326-2252 or send a letter to the address above.
Paperwork Reduction Act Statement: Under the Paperwork Reduction Act, as amended, an agency may not conduct or sponsor, and
a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.

Notice of Breach of Health Information

Your company or organization
Name of your company or organization:

Website:

Address:
City

State

Zip

Contact person at your company or organization:
Contact telephone:

About how many employees does your company or
organization have? - Please Select Organization Size -

Contact email address:

What products or services do you offer?

Information about the breach
Type of breach:
Lost or stolen laptop, computer, flash drive, disk, etc.
Stolen password or credentials
Unauthorized access by an employee or contractor
Hacker
Other (describe)
Have you made the breach public?

Date(s) the breach happened (if you know):
From:
/
/
To:
/
Date the breach was discovered:

/

/

Yes

No

If YES, when did you make it public?

/

How many individuals were affected by the breach?

Comments:

Type of information involved (check all that apply):
Personal Information
Name
Address
Date of birth
Social Security Number
Drivers license or identification card number
Financial information (credit card number,
bank account number, etc)
Health insurance information (insurance carrier,
insurance card number, etc.)

Other Personal or Health Information
(describe):

Health Information
Basic information (age, sex, height, etc.)
Disease or medical conditions
Medications
Treatments or procedures
Immunizations
Allergies
Information about children
Test results
Hereditary conditions
Mental health information
Information about diet, exercise, weight, etc.
Correspondence between patient and providers
Living wills, advance directives, or medical
power of attorney
Organ donor authorization

Notice of Breach of Health Information
What steps are you taking to investigate the breach?

What steps are you taking to mitigate losses?

What steps are you taking to protect against further breaches?

List any law enforcement agencies you’ve contacted about the breach.

Breach notification
Have you notified the people whose information was breached?
YES. We notified them on:
Attach a copy of the letter to this form. Don’t include any personally identifiable information, other than your own
contact information.
NO. Our investigation isn’t complete.
If you determine you need to notify them, as soon as you can – and no later than 60 days after discovering the
breach – you must: 1) Notify the people whose information was breached; and 2) Send a copy of the letter to the
FTC. Don’t include any personally identifiable information, other than your own contact information.
If you determine you don’t need to notify the people whose information was breached, send a letter to the FTC at
the address below explaining why notification isn’t necessary.
Has anyone at your business or organization received information that someone has been harmed by this breach? For
example, has a customer called you to complain about identity theft? Or are you aware of any public disclosure of
YES
NO
information that resulted from the breach?
If YES, describe the harm you’ve found out about. Don’t include any personally identifiable information.

For FTC use:
Reference Number: __________________