Updated July 19, 2023
A cybersecurity incident report includes information about a breach and its impact on services or data. The form assesses how the attacker entered the system and its effect afterward. If personal information was stolen through an attack, the impacted organization may be required to inform its users and government bureaus by law (such as if personal health information (PHI) was obtained).
Includes PHI
If medical records were stolen in a breach, the incident must be reported by a covered entity to the U.S. Dept. of Health and Human Services (HSS) (per 45 C.F.R. § 164.408). The reporting types are divided into 2 categories:
- Less than 500 records – Must report the incident within 60 days from the end of the calendar year the breach occurred.
- 500 or more records – Must report the incident within 60 days of discovery of the incident.
Doesn’t Include PHI
The victim of the attack is not required to report the incident and has the option to report it to the FBI. The FBI has 2 classifications for cyber attacks:
- Threat Response – When attacks are made to disrupt the day-to-day activities of an organization with malicious intent.
- Asset Response – Includes the stealing of personal data, intellectual property, or outright theft.
By Type (3)
American Health Information Management Association (AHIMA) Report Form
Download: PDF
HIPAA Report Form
Download: PDF, MS Word, OpenDocument
Standard Report Form
Download: PDF, MS Word, OpenDocument
Sample
CYBERSECURITY (IT) INCIDENT REPORT FORM
Use this form to report any cybersecurity issues, breaches, hacks, malware, or any other incidents involving a 3rd party.
Date of Report: [DATE]
I. CONTACT PERSON.
Full Name: [NAME] Address: [ADDRESS]
Job Title: [TITLE]
Phone: [PHONE] E-Mail: [E-MAIL]
II. THE INCIDENT.
Date of Incident: [DATE] Time: [TIME] ☐ AM ☐ PM
Type of Incident: ☐ Malware ☐ Data Breach ☐ Other: [OTHER]
How was the incident detected / discovered? [DESCRIBE]
III. NOTIFICATION.
Were other personnel notified? ☐ Yes ☐ No
If yes, enter: [DESCRIBE]
IV. CONTAINMENT
Were any containment measures made? ☐ Yes ☐ No
If yes, describe: [DESCRIBE]
V. IMPACTED SERVICES.
Was anything permanently impacted by the incident? ☐ Yes ☐ No
If yes, describe: [DESCRIBE]
VI. ATTACK VECTOR.
Do you know how the attack was made? ☐ Yes ☐ No
If yes, describe: [DESCRIBE]
VII. INFORMATION IMPACT.
Was there any data, records, or information breached? ☐ Yes ☐ No
If yes, describe: [DESCRIBE]
VIII. OTHER.
Is there any other information you would like to include in this report? ☐ Yes ☐ No
If yes, describe: [DESCRIBE]
OFFICE USE ONLY
Report received by: [NAME] Date: [DATE]
Follow-up action taken: [DESCRIBE]