Cybersecurity incident disclosure
Healthcare and Life Sciences organizations face overlapping cybersecurity incident disclosure obligations from the U.S. Department of Health and Human Services Office for Civil Rights, the U.S. Securities and Exchange Commission, and the Cybersecurity and Infrastructure Security Agency, each operating on different timelines and breach thresholds. The SEC's 2023 cybersecurity disclosure rules require public companies to report material incidents within four business days on Form 8-K, a standard that sits in direct tension with HHS OCR's 60-day HIPAA breach notification window. Compliance teams in this sector are currently working through which incidents trigger both regimes simultaneously and how to draft disclosures that satisfy each agency without creating contradictions in the public record.
Watch
- HHS OCR enforcement posture on ransomware incidents classified as presumptive HIPAA breaches
- SEC Form 8-K Item 1.05 materiality determinations for healthcare data incidents
- CISA's 72-hour reporting mandate under CIRCIA as final rulemaking advances
- Dual-disclosure conflicts when a breach is material to investors but sub-threshold under HIPAA
Recent material activity in Healthcare & Life Sciences
Active monitoring in place across Healthcare & Life Sciences. Material developments related to cybersecurity incident disclosure will appear here as they are published.