Incident response
Veridian Health Partners maintains an incident response process for events that could affect the security, integrity, or availability of Veridian Motion data. This is a public summary; detailed runbooks are available to customers under agreement.Detection
- Automated monitoring on authentication, API errors, and infrastructure health
- Anomaly alerting on unusual access patterns
- Customer reports via support channels
- Responsible disclosure to security@veridianhp.com
Severity levels
| Level | Examples |
|---|---|
| SEV-1 | Confirmed unauthorized PHI access; production-wide outage |
| SEV-2 | Suspected PHI exposure; major degraded performance |
| SEV-3 | Single-agency impact, no confirmed PHI exposure |
| SEV-4 | Internal issue, no customer impact |
Response phases
- Detection — alert or report received
- Triage — scope and severity confirmed
- Containment — revoke credentials, block access, isolate affected systems
- Eradication — remove root cause
- Recovery — restore service, verify integrity
- Post-incident review — root cause, corrective actions, customer summary
Customer notification
For SEV-1 and SEV-2 incidents involving agency data, Veridian notifies the agency contact on file as soon as useful information is available — typically within hours of containment, not after full investigation. Incidents that may constitute a breach of unsecured PHI under HIPAA follow Breach Notification Rule timelines (45 CFR § 164.410) for notifying the covered entity.Agency obligations
When notified, agencies should acknowledge, provide scope information, and cooperate on patient notification if required.Testing
Veridian runs periodic drills covering technical and communication paths.Reporting vulnerabilities
Email security@veridianhp.com. We acknowledge within one business day. Do not test against production PHI; use pilot environments with synthetic data.What’s next
Security overview
Full posture summary.
HIPAA
BAA and breach framing.
