Skip to main content

Incident response

Veridian Health Partners maintains an incident response process for events that could affect the security, integrity, or availability of Veridian Motion data. This is a public summary; detailed runbooks are available to customers under agreement.

Detection

  • Automated monitoring on authentication, API errors, and infrastructure health
  • Anomaly alerting on unusual access patterns
  • Customer reports via support channels
  • Responsible disclosure to security@veridianhp.com

Severity levels

LevelExamples
SEV-1Confirmed unauthorized PHI access; production-wide outage
SEV-2Suspected PHI exposure; major degraded performance
SEV-3Single-agency impact, no confirmed PHI exposure
SEV-4Internal issue, no customer impact

Response phases

  1. Detection — alert or report received
  2. Triage — scope and severity confirmed
  3. Containment — revoke credentials, block access, isolate affected systems
  4. Eradication — remove root cause
  5. Recovery — restore service, verify integrity
  6. Post-incident review — root cause, corrective actions, customer summary

Customer notification

For SEV-1 and SEV-2 incidents involving agency data, Veridian notifies the agency contact on file as soon as useful information is available — typically within hours of containment, not after full investigation. Incidents that may constitute a breach of unsecured PHI under HIPAA follow Breach Notification Rule timelines (45 CFR § 164.410) for notifying the covered entity.

Agency obligations

When notified, agencies should acknowledge, provide scope information, and cooperate on patient notification if required.

Testing

Veridian runs periodic drills covering technical and communication paths.

Reporting vulnerabilities

Email security@veridianhp.com. We acknowledge within one business day. Do not test against production PHI; use pilot environments with synthetic data.

What’s next

Security overview

Full posture summary.

HIPAA

BAA and breach framing.