For labs that have the misfortune of being successfully breached in a phishing attempt, their lab managers may have the responsibility of communicating the incident to both internal leaders (leadership) and external (customers) stakeholders.
CrowdStrike, the cybersecurity technology giant, says in its 2025 Global Threat Report that there was a 442 percent increase in voice phishing attacks (otherwise known as vishing, a form of phishing that takes place over the phone instead of email). Similarly, Lab Manager’s sister brand Dark Daily reported in February that phishing was a top cyberattack method targeting clinical laboratories.
Lab Manager recently had the opportunity to examine the internal incident response and postmortem emails of a data breach enabled by a phishing attack. We came away with some specific takeaways that can help shape your response.
Why communicating a cybersecurity incident strategically is important
Your response can influence your lab’s reputation in the aftermath of a data breach or infiltration. You’ll want to demonstrate to leadership and customers alike that your lab is positioned to address the incident swiftly and effectively by showcasing transparency, awareness, and ownership. Each of these values will communicate a needed message:
- Transparency reinforces that your lab is trustworthy and is prioritizing the interests of involved stakeholders.
- Awareness shows that you’re actively identifying areas of improvement to prevent another incident.
- Ownership will tell them how you’ll learn from this incident and the actions you’ll take to prevent it from repeating.
These values will help restore confidence in your organization.
What effective communication looks like
There are some key pieces of information to include in your messaging:
What happened
Detailing exactly what the cybersecurity incident was and how it transpired is important to showing transparency. Necessary details might include the type of attack (i.e., phishing), who was affected by the breach, and whether the source of attack was technical or social. Technical attacks occur when the lab’s digital infrastructure is insufficient and are solved through more effective network security—a fix that would typically not fall under the lab manager’s purview. A social attack, on the other hand, occurs when someone is tricked by a hacker. The only way to address these attacks is through more effective and consistent training in practicing good security hygiene, like never sharing passwords, recognizing suspicious emails, identifying illegitimate or spoofed websites, etc. In these situations, lab managers would usually be responsible for ensuring that their staff complete the required training.
How those reading it may be affected
An effective notice should include all the ways in which those affected by the data breach may be affected. Depending on the information that was accessed, stakeholders may need to carry out their own response plans.
Who to contact for further questions
Those affected by the breach will likely have follow-up questions or need guidance. Customers’ IT teams, for instance, may need to gather additional details from your organization. Work with IT to designate someone in your organization to take these questions and answer them on behalf of the organization or route requests to the right person.
Protected health information breaches require further action
In the US, breaches that involve the theft or exposure of protected health information under HIPAA can be thorny problems to respond to. The US Department of Health and Human Services (HHS) requires healthcare providers, including clinical laboratories, that transmit health information electronically to report HIPAA-related data breaches.
Advanced Lab Management Certificate
The Advanced Lab Management certificate is more than training—it’s a professional advantage.
Gain critical skills and IACET-approved CEUs that make a measurable difference.
There is a threshold: Medical labs must report a breach involving less than 500 individuals to HHS within one calendar year of the incident’s discovery. For a breach involving 500 or more individuals, labs must report it within 60 days of discovery.
Also, for a breach affecting more than 500 residents of a state or jurisdiction, labs are required to provide notice to prominent media outlets serving the area in question.
Medical labs must also notify all individuals affected by a HIPAA breach.
Next steps for the lab
The surest way to build back trust is to highlight the specific steps your organization will take to ensure that such a data breach does not occur again. Effective and accessible steps could be mandating more staff training, enforcing two-factor authentication for lab software, using only devices owned by the organization to access data, and other measures recommended by IT. These steps can go far in securing your lab and building trust again.
Ultimately, a breach doesn’t have to define your lab’s reputation, but it will if you don’t respond to it effectively. By leading with transparency, awareness, and ownership, you can manage the immediate fallout and strengthen the lab’s resilience against future attacks. The key is to communicate clearly, act decisively, and ensure every step signals a commitment to safeguarding both data and trust.
