Question: If the person affected by a breach knows about it already, do we still have to officially report it?
Answer: Yes, you still need to officially report the breach, answers Jim Sheldon-Dean, founder and director of compliance services for Lewis Creek Systems LLC in Charlotte, VT. “This actually happens quite frequently within smaller rural offices,” where somebody might wind up with a piece of paper in their envelope for somebody else. This might even be a friendly situation with nobody upset about the mix up.
But even when everyone is aware of the breach and has discussed the situation, “you still need to make the official notifications,” Sheldon-Dean warns. “You still have to send the official letter out or send out the official email notification.”
So even if the affected individual (or individuals) know about the breach already, you still need to follow through with all of the official notifications — that includes the affected individuals and the U.S. Department of Health and Human Services (HHS), Sheldon-Dean stresses.