Compliance· 6 min read

How Therapists Should Respond to a Data Breach

A data breach — a hacked email, a stolen laptop, a misdirected message — creates time-sensitive legal obligations. Here's what to do in the first 72 hours and beyond.

A data breach in a therapy practice could be a stolen laptop containing unencrypted session notes, a hacked email account, cloud storage accessed by an unauthorized party, or a session recording shared with the wrong person. When it happens, you face time-sensitive legal obligations, ethical duties to your clients, and a clinical response to manage the damage. Knowing the steps in advance makes an already-stressful situation manageable.

First: assess what happened

Before notifying anyone, establish:

  • What data was affected? (client names, contact details, session content, financial data)
  • Whose data? (how many clients, which records)
  • How was it accessed? (unauthorized login, physical theft, accidental disclosure)
  • Is it ongoing or contained? (change passwords, revoke access before anything else)

GDPR obligations (EU client data)

Under GDPR Article 33, if a breach poses a risk to individuals, you must notify the relevant supervisory authority within 72 hours of becoming aware. If the risk is high, you must also notify affected individuals "without undue delay" (Article 34).

Risk levelObligation

|---|---|

Low risk (e.g., encrypted device lost)Document internally; no notification required
High risk (e.g., sensitive clinical data accessed by unauthorized parties)Notify authority + notify affected clients

HIPAA obligations (US client data)

HIPAA's Breach Notification Rule requires:

  • Notification to affected individuals within 60 days of discovering the breach
  • Notification to HHS (if 500+ records) within 60 days
  • If under 500 records, log the breach and report to HHS annually
  • Notification to media if 500+ residents of a state are affected

Steps in the first 72 hours

  1. Contain the breach — change passwords, revoke access, isolate affected systems
  2. Document everything — what you knew, when, what you did (timestamp your notes)
  3. Assess the risk — what data, whose data, what harm could result
  4. Consult your professional indemnity insurer — they may have a breach response service
  5. Notify the relevant authority if required (GDPR: within 72 hours; HIPAA: within 60 days)
  6. Notify affected clients if required

Prevention is better than response

The breach you're most likely to experience as a solo nomad therapist is a lost or stolen device. Encrypting your laptop (FileVault on Mac, BitLocker on Windows) means a lost device is a very low risk — the data is unreadable. This single step eliminates the need for breach notification in most device-loss scenarios.

See also: GDPR for Therapists: Storing Notes Abroad.

Frequently Asked Questions

What must a therapist do after a data breach?

Contain the breach, document what happened and when, assess whose data was affected, notify your insurer, and notify the relevant authority — within 72 hours under GDPR if there's a risk to individuals, within 60 days under HIPAA. Encrypt devices to prevent breach obligations in case of loss or theft.

Cut your documentation to 2 minutes per session.

Eclio generates SOAP, DAP, and BIRP notes automatically. Free during beta, works from anywhere.

Get early access — free

Related articles

Compliance

Do AI Scribes Train Their AI on Your Therapy Notes?

7 min read

Compliance

Is De-Identified Therapy Data Really Anonymous?

6 min read