DHA Home About DHA Human Resources Contact Us FOIA Site Map
Infinite Menus, Copyright 2006, OpenCube Inc. All Rights Reserved.

Breach Response

The Defense Health Agency (DHA) Privacy and Civil Liberties Office (Privacy Office) coordinates comprehensive breach response efforts, to include reporting, monitoring, and remediation efforts within the Military Health System (MHS). Additionally, the Privacy Office ensures compliance with overarching policies and assists in the development of guidance specific to breach response, to include the DHA Incident Response Team and Breach Notification Policy Memorandum and Administrative Instruction, June 6, 2014.

Department of Defense (DoD) 5400.11-R, "DoD Privacy Program," May 14, 2007, defines a breach as the “actual or possible loss of control, unauthorized disclosure, or unauthorized access of personal information where persons other than authorized users gain access or potential access to such information for an other than authorized purposes where one or more individuals will be adversely affected.”

The Privacy Office Breach Response team also conducts annual incident response exercises involving senior MHS leaders and representatives from other DoD components to practice individual roles and strengthen joint-organization response readiness.

Breach Reporting

Report the actual or possible breach of personally identifiable and/or protected health information (PII/PHI) belonging to the MHS to PrivacyOfficerMail@dha.mil.

In accordance with Office of the Secretary of Defense (OSD) Memorandum, "Safeguarding Against and Responding to the Breach of PII," dated June 5, 2009, a risk assessment must be conducted for every breach to determine whether notification to affected individuals is necessary. If required, notification must occur within 10 days from discovery of the breach and the identities of the individuals ascertained.

These documents are for TMA use only and serve as preliminary guidance for breach reporting.

Guidelines for Reporting Breaches

DoD Breach Reporting-Best Judgment Memo

United States-Computer Emergency Readiness Team (US-CERT) Reporting Instructional Guidance

New Breach Reporting Form DD2959

Plan of Action and Milestone Template

“On October 1, 2013, the Department of Defense established the Defense Health Agency (DHA) to manage the activities of the Military Health System. These activities include those previously managed by TRICARE Management Activity (TMA), which was disestablished on the same date. During the next several months, all TMA websites will change to reflect the new DHA. We appreciate your patience during this transition."
DoD Seal
7700 Arlington Boulevard, Suite 5101, Falls Church, VA 22042-5101
The appearance of hyperlinks to external Web sites does not constitute endorsement by the TRICARE Management Activity of these Web sites or the information, products or services contained therein. For other than authorized government activities, TRICARE Management Activity does not exercise any editorial control over the information you may find at other locations. Such links are provided consistent with the stated purpose of this DoD Web site. Accessibility/Section 508