Breach Reporting. Business Associate shall report to Covered Entity any use or disclosure of PHI not permitted under this BAA, Breach of Unsecured PHI or Security Incident, without unreasonable delay, and in any event no more than thirty (30) days following discovery; provided, however, that the Parties acknowledge and agree that this Section constitutes notice by Business Associate to Covered Entity of the ongoing existence and occurrence of attempted but Unsuccessful Security Incidents (as defined below) for which notice to Covered Entity by Business Associate shall be required only upon request. "Unsuccessful Security Incidents" shall include, but not be limited to, pings and other broadcast attacks on Business Associate's firewall, port scans, unsuccessful log-on attempts, denials of service and any combination of the above, so long as no such incident results in unauthorized access, use or disclosure of PHI. Business Associate's notification to Covered Entity of a Breach shall include: (i) the identification of each individual whose Unsecured PHI has been, or is reasonably believed by Business Associate to have been, accessed, acquired or disclosed during the Breach; and (ii) any particulars regarding the Breach that Covered Entity would need to include in its notification, as such particulars are identified in 45 C.F.R. § 164.404.
Breach Reporting. Contractor shall report breaches and suspected security incidents to County, to include:
Breach Reporting. If SSA or VA suspects or confirms a breach, as defined by OMB M-17-12 or suspects or experiences an incident involving the loss or breach of PII provided by SSA or VA under the terms of this Agreement, they will follow the breach reporting guidelines issued by OMB and agency policy. In the event of a reportable breach under OMB guidance involving PII, the agency experiencing the breach is responsible for following its established procedures, including notification to the proper organizations (e.g., United States Computer Emergency Readiness Team, the agency’s privacy office). In addition, the agency experiencing the breach (e.g., electronic or paper) will notify the other agency’s Systems Security Contact named in this Agreement. If VA is unable to speak with the SSA Systems Security Contact within one hour or if for some other reason notifying the SSA Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), VA will call SSA’s National Network Service Center toll free at 0-000-000-0000. SSA must also notify VA’s Systems Security Contact and the VA Network and Security Operations Center (1-800- 877-4328) within one hour.
Breach Reporting. Contractor will report, in writing, any breach of protected health information to State within five (5) business days of discovery, in accordance with 45 C.F.R § 164.410.
a. Identities of the Individuals whose unsecured Protected Health Information has been breached.
b. Date of the breach and date of its discovery.
c. Description of the steps taken to investigate the breach, mitigate its effects, and prevent future breaches.
d. Sanctions imposed on members of Contractor’s workforce involved in the breach.
e. Other available information that is required to be included in notification to the Individual under 45 C.F.R. § 164.404(c).
f. Statement that Contractor has notified, or will notify, affected data subjects in accordance with 45 C.F.R. § 164.404.
Breach Reporting. ICUK shall notify Customer without undue delay of becoming aware of any Personal Data Breach involving Personal Data Processed on behalf of the Customer using the Services, and thereafter co-operate with Customer and provide assistance as may be reasonably required by Customer in the investigation, remediation and mitigation of such breach. ICUK shall provide reasonable assistance to Customer in respect of any and breach reporting obligations Customer may have, and provide such additional information relating to such breach as Customer may reasonably require.
Breach Reporting. Business Associate shall report to ABC any Breaches of PHI. Business Associate shall make such report to ABC' Privacy Official not more than two calendar days after Business Associate knows, or should reasonably have known, of such Breach. Business Associate shall cooperate with ABC in investigating such Breach, and in meeting ABC' obligations under the HITECH Act and any other security breach notification laws. Business Associate shall report all Breaches to ABC in writing (and in the format requested by ABC) and such reports shall, at a minimum:
i. Identify the nature of the Breach including the date of the Breach and the date of discovery of the Breach;
ii. Identify which elements of the PHI (e.g., full name, social security number, date of birth, etc.) were breached, or were part of the Breach;
iii. Identify who was responsible for the Breach and who received the PHI;
iv. Identify what corrective actions Business Associate took or will take to prevent further incidents of a Breach;
v. Identify what Business Associate did or will do to mitigate any deleterious effect of the Breach;
vi. Identify Business Associate contact information and procedures to enable ABC to obtain additional information if required; and
vii. Provide such other information, including a written report, as ABC may reasonably request.
viii. Business Associate shall reimburse ABC for all Breach notification costs arising out of or in connection with, any Breach, including but not limited to, postage and mailing fees and the provision of credit monitoring services for affected individuals.
Breach Reporting. If SSA or VA suspects or confirms a breach, as defined by OMB M-17-12 or suspects or experiences an incident involving the loss or breach of PII provided by SSA or VA under the terms of this Agreement, they will follow the breach reporting guidelines issued by OMB and agency policy. In the event of a reportable breach under OMB guidance involving PII, the agency experiencing the breach is responsible for following its established procedures, including notification to the proper organizations (e.g., United States Computer Emergency Readiness Team, the agency’s privacy office). In addition, the agency experiencing the breach (e.g., electronic or paper) will notify the other agency’s Systems Security Contact named in this Agreement. If VA is unable to speak with the SSA Systems Security Contact within one hour or if for some other reason notifying the SSA Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), VA will call SSA’s National Network Service Center toll free at 0-000-000-0000. SSA must also notify VA’s Systems Security Contact and the VA Network and Security Operations Center (0 000-000-0000) within one hour. If SSA is unable to speak with VA’s Systems Security Contact within one hour, SSA will contact the VA/VHA Situation Room at (000) 000-0000.
Breach Reporting. Report in writing to Covered Entity within ten (10) business days after discovery, any suspected or actual: (a) access, use or disclosure of PHI not permitted by this Agreement; (b) breach of unsecured PHI in accordance with 45 CFR 164.410; (c) security breach or intrusion; (d) use or disclosure of PHI in violation of any applicable federal or state laws or regulations. Business Associate will implement a reasonable system for discovery of Breaches.
Breach Reporting. 13.10.1 The Supplier shall promptly inform the EPA if any EPA Data is copied, modified, lost or destroyed or becomes damaged, corrupted, or unusable, or if there is any accidental, unauthorised or unlawful disclosure of or access to the EPA Data. In such case, the Supplier will restore such EPA Data at its own expense, and will comply will all of its obligations under Data Protection Legislation in this regard.
13.10.2 The Supplier must inform the EPA of any Personal Data Breaches, or any complaint, notice or communication in relation to a Personal Data Breach, without undue delay, provide sufficient information and assist the EPA in ensuring compliance with its obligations in relation to notification of Personal Data Breaches (including the obligation to notify Personal Data Breaches to the DPC within seventy two (72) hours), and communication of Personal Data Breaches to Data Subjects where the breach is likely to result in a risk to the rights of such Data Subjects. The Supplier shall co-operate with the EPA and take such reasonable commercial steps as are directed by EPA to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
13.10.3 In the event of a personal data breach or any data breach involving the services, the supplier shall not make any announcement to the media in respect of such breach without first consulting with the EPA.
Breach Reporting. 3.2.1 In the event of a Breach of any Unsecured PHI (as defined in 45 C.F.R. 402) or sensitive personal information that Business Associate accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds or uses on behalf of Covered Entity, Business Associate will provide notice of the Breach to Covered Entity immediately, but in no event more than three (3) days after discovering the Breach.
(i) For purposes of this Business Associate Agreement, a Breach of Unsecured PHI or sensitive personal information will be treated as discovered by Business Associate as of the first day on which such Breach is known to Business Associate (including any person, other than the individual committing the Breach, who is an employee, officer, Subcontractor, or other agent of Business Associate, as determined in accordance with the federal common law of agency) or should have been known to Business Associate following the exercise of reasonable diligence.
3.2.2 Business Associate will be liable to, and indemnify Covered Entity for, unreasonable delays in reporting Breaches to Covered Entity.
3.2.3 Notice of a Breach will include, at a minimum:
(i) the identification of each individual whose PHI or sensitive personal information has been, or is reasonably believed to have been, accessed, acquired, or disclosed during the Breach;
(ii) the date of the Breach, if known, and the date the Breach was discovered;
(iii) a description of the types of PHI or sensitive personal information involved (e.g., names, Social Security numbers, dates of birth, home addresses, or medical record numbers);
(iv) a description of the Business Associate’s response to the Breach, if any (i.e., what the Business Associate has done to investigate the Breach and to protect against future Breaches); and
(v) any other reasonable information requested by Covered Entity.