Each year, healthcare providers are forced to pay millions of dollars to cybercriminals who steal their Protected Health Information (PHI) and then threaten to sell it on the Dark Web. Cybersecurity incidents like ransomware attacks can not only be costly, but disruptive to business, and harmful to your practice's reputation.
We represent physicians and physician practices in connection with a wide array of cybersecurity and HIPAA matters including incident response, breach investigations by government agencies such as HHS-OCR, and defending breach-related litigation, including class action lawsuits. If you experience a breach, we will work with you throughout the entire post-breach process to ensure that you comply with various federal and state laws and regulations and notification deadlines. We also work closely with cybersecurity experts who can conduct a forensic investigation and ensure that your system is no longer compromised.
But, you don't have to wait until you have a problem to reach out. We also counsel physician practices on how to develop and implement cybersecurity policies and procedures to protect against bad actors and, hopefully, avoid the costs and stress associated with a breach.
A Covered Entity (including a physician or physician practice) that becomes aware of any unauthorized access to Protected Health Information (PHI) has 60 days to notify the affected patients. If the breach affects 500 or more patients, the Covered Entity must also notify HHS' Office of Civil Rights (OCR) within that same 60 days. For such large breaches, the media must be informed as well.
Copyright © 2026 Grubman Warner Berry LLP - All Rights Reserved.
Nothing on this site should be considered legal advice. Nor does accessing the material on this site create an attorney-client relationship. Descriptions of prior matters are used as examples only and should not be read to guarantee an outcome in any future case.