Documentation Index
Fetch the complete documentation index at: https://docs.veridianhp.com/llms.txt
Use this file to discover all available pages before exploring further.
Incident response
Veridian maintains a documented incident response process used for any event that could affect the security, integrity, or availability of practice or patient data. This page is the public summary; the full runbook is part of our internal security package.How we detect incidents
- 24/7 automated monitoring on authentication, API usage, payment flows, and infrastructure health.
- Anomaly detection alerting on unusual access or error patterns.
- Customer-reported issues through the dashboard or support email.
- Bug bounty and responsible disclosure (see below).
Severity levels
| Level | Examples |
|---|---|
| SEV-1 | Confirmed unauthorized access to PHI; production-wide outage. |
| SEV-2 | Suspected PHI exposure; major degraded performance. |
| SEV-3 | Single-practice impact, no PHI exposure. |
| SEV-4 | Internal issue with no customer impact. |
Phases
Every incident moves through:- Detection — automated alert or report received.
- Triage — on-call engineer confirms scope and severity.
- Containment — stop the bleeding (revoke credentials, isolate hosts, block traffic).
- Eradication — remove the root cause.
- Recovery — restore service and verify integrity.
- Post-incident review — root cause, timeline, corrective actions, shared with affected practices.
Customer communication
For SEV-1 and SEV-2 incidents that involve a practice’s data, Veridian notifies the affected practices through the contact on file. Initial notification happens as soon as Veridian has enough information to be useful — typically within hours of containment, not after the full investigation is complete. For incidents that may constitute a breach of unsecured PHI under HIPAA, Veridian follows the timelines and content requirements of the HIPAA Breach Notification Rule (45 CFR § 164.410) for notifying the covered-entity practice.Practice obligations
When Veridian notifies a practice of an incident, the practice is expected to:- Acknowledge the notification through normal support channels.
- Provide any information needed to assess scope on the practice side.
- Cooperate on patient notification if it becomes necessary.
Drills
Veridian runs periodic incident response drills covering both technical and communication paths. Findings feed back into the runbook.Reporting a vulnerability
If you believe you’ve found a security issue in Veridian, please email security@veridianhp.com. We commit to:- Acknowledging your report within one business day.
- Keeping you informed as we triage and remediate.
- Not pursuing legal action for good-faith research that respects user privacy and avoids degrading service.
What’s next
Security overview
The broader picture of how Veridian protects data.
HIPAA
Our role under HIPAA.