The Defense Health Agency (DHA) Privacy and Civil Liberties Office (Privacy Office) coordinates
comprehensive breach response efforts, to include reporting, monitoring, and remediation efforts
within the Military Health System (MHS). Additionally, the Privacy Office ensures compliance with
overarching policies and assists in the development of guidance specific to breach response, to include
DHA Incident Response Team and Breach Notification Policy Memorandum and Administrative
Instruction, June 6, 2014.
Department of Defense (DoD) 5400.11-R, "DoD Privacy Program," May 14, 2007, defines a breach as the “actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for an other than authorized purposes where one or more individuals will be adversely affected.”
The Privacy Office Breach Response team also conducts annual incident response exercises involving senior MHS leaders and representatives
from other DoD components to practice individual roles and strengthen joint-organization response readiness.
Report the actual or possible breach of personally identifiable and/or protected health information (PII/PHI) belonging to the MHS to
In accordance with
Office of the Secretary of Defense (OSD) Memorandum, "Safeguarding Against and Responding to the Breach of PII," dated June 5, 2009, a risk assessment must be conducted for every breach to determine whether notification to affected individuals is necessary. If required, notification must occur within 10 days from discovery of the breach and the identities of the individuals ascertained.
These documents are for TMA use only and serve as preliminary guidance for breach reporting.
Guidelines for Reporting Breaches
DoD Breach Reporting-Best Judgment Memo
States-Computer Emergency Readiness Team (US-CERT) Reporting Instructional
New Breach Reporting Form DD2959
Plan of Action and Milestone Template