Jane's Blog Tips, News, and Thoughts from the Jane Team

The Ultimate Guide to Handling a Break-in at Your Clinic

May 08, 2024

A woman stares at her laptop in her office with a serious expression, her glasses in her hands. She wears her hair in curls and has a peach top on. There is an illustration of a lock around her office door.

By Vasiliki Marapas

This story is based on true events. Names and some identifying details have been changed for privacy.

The break-in

It was 6:30 am on a Friday morning when M.J. received a text from his landlord.

“It looks like there’s been a break-in,” the message read. Attached was a grainy photo of a cinder block smashed through M.J.’s clinic window, glass and debris littered over the sidewalk and front entrance.

M.J. immediately drove to his clinic, where the security system that had failed to go off the night before now triggered as he opened the front door. Inside, he was faced with a sobering reality: Three desktop Mac computers, an external hard drive, and several professional tools had been taken.

“My first thought was — what is this going to cost our clients and what is this going to cost us?” M.J. explains.

He had opened his clinic alongside his brother, a licensed physiotherapist, in Ontario, Canada, in a community with few healthcare resources. “This industry can be very numbers-driven, so our intention was, of course, to have a successful business, but also to provide quality care in an underserved market,” M.J. says.

With a privacy breach looming, M.J. and his brother confronted their own liability, as well as the possibility they’d have to interrupt critical service for clients who could not afford to go elsewhere.

Reporting a commercial burglary to police and insurance

They reported the robbery to police, who came to survey the damage and canvas the surrounding plaza for CCTV. The forensics team followed soon after. Amid the chaos, M.J. called his insurance company to file a claim. He was informed the adjuster assigned to their case would be in touch.

“There can be a delay working with insurance companies and even with police,” M.J. explains. “When you’re in a state of panic, you want answers, you want results. These things are happening to me in real-time, yet there’s often no one with the answers right then and there.”

For his own peace of mind, M.J. kept moving. He contacted staff to let them know what had happened. He reached out to the security company to find out why their alarm hadn’t gone off. And when the police had gotten what they needed, he worked tirelessly to restore the space to its original condition.

“Had you not known there had been a break-in, there’d be no way to tell walking into the space,” M.J. says, noting that he didn’t want his staff to see the clinic in disarray, or his clients to walk past boarded-up windows. “I felt this vulnerability – this violation – and I didn’t want them to feel it,” he shares.

A woman talks on the phone while in front of her laptop in her office. She has short, blonde hair and wears a beige blouse.

Communicating with clients and colleagues

Thankfully, the clinic did not need to close its doors, so when people began arriving for their appointments the following Monday, M.J., his brother, and their colleagues were ready to share what they knew so far.

“We were very honest,” says M.J. “This isn’t a time where you want to have to backtrack.”

Under the guidance of the privacy commissioner, M.J. drafted an official email that described the “what, when, who, how, where, and why” of the breach and the steps that had been taken since it was discovered. That included actions like notifying the appropriate professional associations and informing the banks, as well as cancelling credit cards, changing passwords, and most importantly, erasing as much information as they could remotely.

Because he had multi-factor authentication enabled, M.J. was able to reassure his clients there had been no attempts made to access their information. The response they received left M.J. feeling surprised and grateful.

“Our clients and staff have been amazing throughout this,” M.J. says. “They really wanted to support us.”

He credits the positive reaction to the strong relationships they’ve built over time, their ability to be transparent, and their long-held open-door policy for anyone who had questions.

“When you’re running a business and you’re able to give people a sense of security or quality, that doesn’t just go away overnight,” says M.J. “Had we not been as connected to our clients, this might have been a lot different.”

Managing healthcare data security

A privacy breach is an event that every conscientious clinic prepares for, yet hopes they never have to face. Since the robbery, the clinic has adopted new procedures, including a more detailed security review process with new vendors, and locking up their laptops at night.

M.J. now encourages others to start thinking through questions of risk more deeply: “Go that extra step, ask yourself, what is my backup in case my first layer of protection fails? It’s not so much about eliminating risk, but managing it,” he says.

At the same time, he gives himself grace, knowing they did their due diligence. For anyone going through a similar situation, he offers the following advice: “Be genuine, be as good as you can be in your position, and ask for help when you need it.”

Expert advice from HIPAAYak: cultivating a security mindset

M.J.’s sentiments are echoed by Travis Good, CEO of HIPAAYak: a tech-forward HIPAA platform for small healthcare practices in the US.

For many clinics, fear around penalties can obscure a crucial aspect. “One of the things people don’t fully appreciate about HIPAA is that a lot of it is about intention,” Travis says.

Intention is also the backbone of legislation in Canada, where there are both federal and provincial laws relating to data privacy. In either country, putting policies and procedures in place indicates that you’ve been intentional with securing the information you’re collecting.

One reason people struggle with security, Travis believes, is that they feel intimidated by the language. “There’s this sense that if you don’t have the right acronyms or the right words to talk about it, then you’ll come off as seeming to not understand it,” he shares. The fear of sounding ignorant, or worse, making a mistake is exacerbated.

Travis Good, CEO of HIPAAYak, smiles for the camera. He wears a red and white checkered shirt and glasses, and stands against a backdrop of a frosted glass wall. There is a light yellow border around his photo. Travis Good, CEO of HIPAAYak

“Security is such a dynamic and evolving space that unless you are a full-time [specialist], it’s nearly impossible to keep up with it,” Travis says, adding that the goal isn’t to become an expert but to cultivate a security mindset.

Travis recommends making the topic a regular part of your work by including it in daily or weekly meetings to help people keep it top of mind. That way, the next time someone gets a suspicious email, they’ll think twice about whether they should click on a link or open an attachment.

Maintaining security when partnering with third-party companies

It’s especially important to consider security when partnering with other companies. “Increasingly, all businesses are leaning on third-party technology tools,” says Travis. As a small clinic, you might not have the resources to check a company’s [security] settings yourself, but you can ask what they do for information security and document their response.

“Most vendors, especially in healthcare, are set up to do that as part of the contracting process,” Travis says.

Creating security policies that work for your practice

Sometimes the guidelines can feel vague rather than prescriptive, making it tough for solo practitioners or smaller clinics to understand what’s needed of them.

“Unfortunately, there’s not a formula here,” Travis says. “You need to think about your practice and what’s reasonable.”

For example, HIPAA guidelines say that you should assign both a security official and a privacy official – but if you’re a one-person practice, that’s not a feasible thing for you to do.

It’s important to be realistic about the amount of work you can do on a regular basis. In other words, avoid creating policies or procedures that require resources you don’t have — only adopt policies you know you can follow.

Instead of bogging yourself down trying to interpret the hundreds of pages written for both the security rule and the privacy rule under HIPAA, Travis suggests boiling it down to 10–15 bullet points per rule, then creating simple policies that map onto each point.

Security is about intention, not perfection

These legislations don’t exist to penalize practitioners. They exist to protect patients. And in doing so, they offer a wealth of information. Think of them as a guiding light, helping you achieve the mutual goal of ensuring only authorized people can see sensitive information.

Even as the security landscape continues to evolve, at its core, security is about putting policies in place with the intention of ensuring the confidentiality, integrity, and availability of the data you’re storing.

Keeping this principle in mind will help anyone cut through the noise and do what’s right to keep their practice secure.

Tips for keeping your space secure: 1) Have good password hygiene - Use long, randomized passwords; Have one password per account; Don’t share passwords with anyone (not even IT); 
Use an online password manager 2) Protect your devices - Never leave devices unattended in public; Lock your computer when you leave your desk; Be careful when viewing sensitive information in public or in front of patients; Don’t plug an unknown device, like a found USB, into your computer; Enable multi-factor authentication 3) Prevent malware - Confirm you are using a trusted source or official company website before downloading anything on your computer; Regularly update your software and operating systems; Be cautious when clicking email links 4) Browse safely - Keep WiFi secure; Be mindful with private info when you’re on public WiFi; Only enter data if you can verify a website is safe; Vet people’s identity online; Be wary of free deals: they may be malicious 5) Except the best, prepare for the worst - Publish your privacy practices; Appoint a privacy contact person and/or security official; Create breach procedures you can follow

In search of more expert advice for clinic life? 🔎

We know that running your clinic comes with its ups and downs. That’s why we’ve put together articles (like this one) to help you along your journey.

If you want more, make sure to check out Front Desk magazine. You can even sign up for print issues — delivered right to your clinic! 📖

The cover of Front Desk magazine against a yellow background with the text: "Subscribe today for your FREE magazine"

This article was originally published in issue 1 of Front Desk magazine and has been modified and updated.

Blog Posts