Privacy Data Breach

In accordance with OMB Memorandum (M) 07-16 "Safeguarding Against and Responding to the Breach of Personally Identifiable Information (PII)”, the CMS Information Security and Privacy Offices have implemented a process for protecting personally identifiable information (PII) and creating policy requirements for CMS staff and partners to notify the proper authorities in the event that an incident, breach, or potential breach, to PII has occurred. 

  • The DHS defines a privacy incident as “a suspected or confirmed incident involving PII.” 
  • PII is any information that permits the identity of an individual to be directly or indirectly inferred, including any other information that is linked or linkable to that individual regardless of whether the individual is a U.S. citizen, legal permanent resident, or a visitor to the U.S. 
  • A privacy incident is an adverse event or action that is unplanned, unusual, and unwanted that happened as a result of non-compliance with the privacy policies and procedures of the Department.  It must pertain to the unauthorized use or disclosure of PII including “accidental disclosure” such as misdirected e-mails or faxes.

OMB M-07-16 requires CMS, among other thing, to implement more stringent breach notification and response policies and procedures.  This is due to the increased threats to critical cyber-based infrastructure systems that have created a need for CMS to augment their computer security efforts.  Incidents involving cyber security and privacy threats with highly interconnected technology require a skilled and rapid response to mitigate their likelihood and impact to computing resources loss or destruction of data, loss of funds, loss of productivity and damage to the agency's reputation.  These types of situations require that agencies have a coordinated computer security and privacy incident response capability as an extension to their contingency planning process.

Specifically, CMS is responsible for implementing the following:

  • Establish rules of conduct for persons involved in the design, development, operation, or maintenance of any system of records, and instruct any such person with respect to such rules and the requirements of the Privacy Act;
  • Provide job-specific training for managers and employees before granting them access to agency information and information systems;
  • Review existing requirements with respect to privacy and security by ensuring that current records are accurate, relevant, timely, and complete, and reduce them to the minimum necessary for the proper performance of the agency function;
  • Implement more stringent policies such as reducing the volume of collected and retained information (specifically a decrease in use of SSNs) and employing heightened administrative, technical, and physical security measures;
  • Implement breach notification and SSN reduction policies that address the necessity, timeliness, source, contents, means of provision, and recipients;
  • Report to US-CERT when an individual gains logical or physical access without permission to a Federal agency network, system, application, data or other resource; or when there is a suspected or confirmed breach of PII regardless of the manner in which it might have occurred;
  • Publish a routine use for their systems of records notices (SORNs) allowing for the disclosure of information in the course of responding to a breach of Federal data; and
  • Provide a breach notification, without unreasonable delay, to the Department as well as individuals affected by the breach. The notification must include:

    • Source of the breach;
    • Brief description;
    • Date of discovery;
    • Type of PII involved;
    • A statement whether or not the information was encrypted;
    • What steps individuals should take to protect themselves from potential harm;
    • What the agency is doing to resolve the breach; and
    • Who affected individuals should contact for information.

What is a Security or Privacy Breach?

The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. 

(Defined in OMB M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information”)

Examples of paper and electronic breaches

Paper Breach:

  • Having hardcopy documents containing Personally Identifiable Information (PII) stolen from one’s desk
  • Losing a briefcase that contained hardcopy documents containing PII
  • Intentionally sharing hardcopy documents that contain PII without authorization.

Electronic Breach:

  • Unauthorized users gain access to electronic documents containing PII via sharing of passwords, leaving work station unlocked/unattended, etc
  • PII is posted, in any format, onto the world wide web without authorization
  • Having a laptop containing PII lost or stolen

When Should a Breach be reported?

You should report both suspected and confirmed breaches as soon as they are discovered in order to begin remediation and investigation of any compromised information.

To Whom do CMS Staff and Business Partners report a Breach to?

Known or suspected security or privacy breaches involving CMS information or information systems must be reported immediately to the CMS IT Service Desk:

phone:  410-786-2580 or 1-800-562-1963


Additionally, please contact your assigned ISSO and direct supervisor as soon as possible and apprise them of the situation. 

Policies and Procedures

OMB M-07-16 issued in May 2007:

HHS Response to OMB M-07-16:

HHS Policy for Responding to Breaches of Personally Identifiable Information (PII):

HHS Breach Response Policy: 

Page Last Modified:
06/17/2013 03:28 PM