Incident Response & Breach Notification Policy

Effective: April 7, 2026 | Last updated: April 7, 2026

1. Purpose

This policy establishes procedures for identifying, responding to, and recovering from security incidents, including potential breaches of Protected Health Information (PHI). VitalNexa maintains HIPAA-grade security safeguards and treats any potential PHI breach with the highest priority.

2. Incident Classification

3. Detection

VitalNexa employs the following detection mechanisms:

• Audit logging: Every authenticated request is logged with user ID, IP address, resource type, PHI access flag, and timestamp
• Failed login monitoring: Account lockout after 5 failed attempts with cooldown period
• Anomalous access patterns: Unusual volume of PHI access from a single user or IP
• Infrastructure monitoring: Server health, container status, and resource utilization

4. Response Procedures

4.1 Containment (First 1-4 hours)

1. Isolate affected systems — revoke compromised tokens, block suspicious IPs
2. Preserve evidence — snapshot audit logs, container logs, and database state
3. Assess scope — determine what data was accessed, by whom, and for how long
4. Rotate credentials — API keys, encryption keys, JWT secrets as needed

4.2 Investigation (4-48 hours)

1. Review audit logs for the affected time period
2. Identify root cause — vulnerability exploited, credential compromise, insider threat
3. Determine whether PHI was actually accessed or exfiltrated
4. Document findings with timeline

4.3 Notification (within 60 days of discovery, per HIPAA)

• Affected individuals: Written notification describing the breach, types of information involved, steps taken, and recommended protective actions
• HHS Secretary: If breach affects 500+ individuals, notify within 60 days. For fewer than 500, annual log submission
• Media: If breach affects 500+ residents of a single state, prominent media notification

4.3.1 GDPR Breach Notification (EU/EEA)

In addition to HIPAA requirements, for breaches involving personal data of EU/EEA residents, VitalNexa will comply with GDPR Article 33 and Article 34:

• Supervisory Authority notification (Article 33): The breach must be reported to the relevant supervisory authority within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where notification is not made within 72 hours, the reasons for the delay must be documented.
• Individual notification (Article 34): Affected EU/EEA individuals must be notified without undue delay if the breach is likely to result in a high risk to their rights and freedoms. The notification must describe the nature of the breach, the likely consequences, the measures taken or proposed, and the contact point for further information.
• Documentation: All breaches, regardless of whether they are reportable, will be documented internally including the facts, effects, and remedial action taken (Article 33(5)).

4.4 Remediation

1. Patch the vulnerability or close the attack vector
2. Re-encrypt affected data if encryption was compromised
3. Update security controls to prevent recurrence
4. Conduct post-incident review and update this policy

5. Technical Safeguards

• Encryption at rest: AES-256-GCM envelope encryption (DEK/KEK) for all PHI
• Encryption in transit: TLS 1.3 via Caddy auto-HTTPS
• PII scrubbing: Personal identifiers stripped before AI processing
• Row-Level Security: PostgreSQL RLS ensures tenant data isolation
• Password hashing: Argon2id with automatic bcrypt migration
• Session management: HttpOnly secure cookies, JWT with expiration
• Account lockout: Progressive lockout after failed authentication attempts

6. Audit Log Retention

Audit logs are retained for a minimum of 6 years per HIPAA requirements. Logs include: user ID, action performed, resource type, resource ID, IP address, timestamp, response status, and PHI access classification.

7. Contact

Security concerns should be reported immediately to: security@vitalnexa.health

Privacy inquiries: privacy@vitalnexa.health