Managed Care Outlook 2025

Risk management - shield icon

Read time: 8 minutes

In the realm of managed care, safeguarding privilege during a data breach investigation is paramount. Establishing and deploying best practices is essential to ensure your company's breach response investigation will be protected from disclosure.

A body of case law has emerged concerning the privilege of communications and materials related to data breach investigations. Courts are more likely to require adherence to these practices in future disputes.

By integrating these best practices into your breach response strategy, you can better position your company to protect sensitive information during a data breach investigation.Average cost of a data breach for health care companies, which stands at $9.8 million, is the highest among all industries for the 14th consecutive year

Breach response best practices

Two-track investigation. As a result of the case law that has developed in this area, it is best practice to conduct a two-track investigation in the event of a data breach – an ordinary business track and a legal track.

Courts have protected data breach investigative materials and communications under the attorney-client privilege and/or work product doctrine where there were two investigative tracks of a company’s data breach response. Maldonado v. Solara Med. Supplies, LLC, 2021 U.S. Dist. LEXIS 258382, at *12-13 (D. Mass. June 2, 2021) (Work product and attorney-client privilege protections upheld for data breach investigation materials, in part due to the company conducting a two-track investigation.)

Separate work streams for each track. One investigative track should handle the ordinary course of business investigation, which includes whether unauthorized activity within the systems environment occurred; whether it resulted in the compromise of sensitive data; the scope of such compromise; and remediation of the breach. See Leonard v. McMenamins Inc., 2023 U.S. Dist. LEXIS 217502, at *9-10 (W.D. Wash. Dec. 6, 2023). The ordinary course of business track investigation should be limited to documenting technical information that likely is not protectable to determine what happened, culminating in a non-privileged report that can be used to help direct the response by IT and Privacy, remediate the data breach and comply with the law.

On the other hand, the legal track investigation should occur under the direction of outside counsel for the purpose of educating counsel about the data breach in order to provide the company with legal advice and prepare to defend the company against anticipated litigation/government actions, culminating in a separate privileged/protected report. To further preserve attorney-client privilege and/or work product protections, the tracks should not communicate with each other about the substance of the legal track investigation. Id., at *9-11.

Key takeaways
  • Establish proper processes in your company's breach response plan to enhance privilege protections
  • Perform dual-track investigations: one for business operations, another for legal advice and defense at the direction of outside counsel, with separate reports for each
  • Limit distribution of legal track communications and materials
  • Maintain proper records from business track to determine facts of the data breach
Download full report
Download full report
Download