Contain: stop forwarding chains, revoke tokens if applicable, preserve logs without tipping malicious actors.
Notify according to your playbook: privacy officer, counsel, cyber insurer, and sometimes individuals/regulators on strict timelines.
Post-incident, update policies based on root cause—not generic “more training” alone.
If you cannot retrieve it, you cannot defend it—or release it to patients.
If a vendor touches PHI on your behalf, paperwork should match reality—not a dusty PDF no one read.
Fax persists in healthcare because it is familiar—not because it is magically secure.
Not every mailbox needs military-grade tooling—but unencrypted PHI to consumer Gmail is indefensible.