Book doctors, shop health and beauty products, and access trusted health content — in 110 languages. All in one place.

Your cart

Your cart is empty

Continue shopping

Clinicians Check Incident Response & Security Breach Policy

Effective Date: May 23, 2025

1. Purpose

This policy outlines the official protocol of CliniciansCheck Ltd ("CliniciansCheck", "we", "our") for identifying, reporting, investigating, and responding to actual or suspected data breaches, cyber incidents, and other security events. It ensures legal compliance, protects data subjects, preserves platform integrity, and aligns with global standards.

2. Scope

This policy applies to:

  • All employees, contractors, partners, and vendors

  • All systems, cloud services, and infrastructure operated by or integrated with CliniciansCheck

  • All personal, clinical, commercial, or AI-generated data processed or stored on the platform

3. Governance & Regulatory Alignment

CliniciansCheck complies with the breach response mandates of:

UK & EU GDPR (Articles 33 & 34)

US HIPAA Breach Notification Rule

NHS DSPT breach protocols

NIST 800-61 Rev. 2 Incident Handling Framework

ISO/IEC 27035:2016 Incident Management

OECD Security Guidelines

EU AI Act and UK NHS AI Code (for AI-related incidents)

4. Definitions

  • Security Incident: Any unauthorized access, disclosure, alteration, or destruction of data or systems.

  • Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data.

  • High-Risk Breach: One that is likely to result in significant harm to the rights and freedoms of affected individuals.

5. Incident Types Covered

  • Unauthorized access to personal, clinical, or system data

  • Malware, ransomware, or DDoS attacks

  • Loss or theft of devices containing sensitive data

  • Insider threats, human error, or misconfigurations

  • Compromise of AI tools or misuse of automation

  • Infrastructure downtime affecting patient-critical access

6. Detection & Initial Response

Monitoring: 24/7 monitoring via SIEM and intrusion detection systems

Alerting: All employees must report suspected incidents within 1 hour to the internal security team via secure channels

Triage: Incidents are triaged within 2 hours using the CIR (Criticality-Impact-Risk) framework

7. Containment & Recovery

Short-term containment: Access controls and network segmentation to isolate threats

Eradication: Removal of root causes (malware, user accounts, vulnerabilities)

Recovery: System restoration, validation, and resumption of normal operations

Communication: Internal updates, executive briefings, and external disclosures as necessary

8. Notification Obligations

8.1 Regulatory Notification

Report to the ICO (UK) or EDPB authority (EU) within 72 hours of breach awareness, if applicable

Report to US Department of Health and Human Services (HHS) within 60 days if PHI is involved (HIPAA)

8.2 Data Subject Notification

If high risk to individual rights is identified, notify affected data subjects without undue delay

Notifications must include:

  • Nature and scope of the breach

  • Categories of data affected

  • Potential consequences

  • Mitigation steps and support resources

9. AI & Algorithmic Incident Response

Any AI anomaly, bias, or malfunction must be reported within 24 hours

Logs, inputs, and outputs from the AI system must be preserved for audit

The system is paused until a risk assessment is completed

If harm is caused or imminent, the event is escalated as a high-risk incident

10. Documentation & Legal Recordkeeping

All incidents are logged in the Internal Breach Register

Full audit trails and system logs are retained for 6 years

Post-incident reports are reviewed by the Information Governance Committee

11. Post-Incident Review & Lessons Learned

Root Cause Analysis (RCA) within 5 business days of resolution

Preventative controls are updated accordingly

Summary findings shared (anonymized) across teams to support a security-aware culture

12. Training & Awareness

Annual security incident simulation exercises for all staff

Phishing tests, red-teaming, and scenario drills for high-risk roles

Contractors must complete incident handling training before platform access is granted

13. Third-Party Involvement

Third-party processors are contractually bound to report breaches within 24 hours

CliniciansCheck enforces breach clause compliance via Data Processing Agreements (DPAs)

Shared incident response playbooks are developed with critical vendors

14. Enforcement & Disciplinary Action

Non-compliance with this policy may result in disciplinary action, termination, or referral to regulatory authorities

Contractors and partners may face contract suspension or revocation of access

15. Policy Review & Maintenance

This policy is reviewed annually or upon significant regulatory change

Owned by the Chief Information Security Officer (CISO) and Data Protection Officer (DPO)

16. Contact

Questions or reports related to security incidents should be directed to:

Data Protection & Security Operations Team

CliniciansCheck Ltd

2 Harley Street, London, W1G 9PA, United Kingdom

operationsteam@clinicianscheck.com

This policy is legally binding, aligned with international best practices, and forms part of CliniciansCheck’s core security and governance obligations.

17. Cross-Border Breach Protocol

In the event of a breach affecting multiple jurisdictions:

  • CliniciansCheck will coordinate with lead supervisory authorities under the One-Stop-Shop mechanism (for GDPR).

  • Country-specific breach notification timelines and formats will be respected, including state-level U.S. laws, Canada’s PIPEDA, Australia’s NDB Scheme, and APEC CBPR framework where applicable.

  • A multilingual breach communication template will be prepared for global incidents.

18. AI Breach Risk Categorization

All AI-related incidents will be categorized as:

Category A: AI decision leads to clinical harm or misdiagnosis

Category B: Algorithmic bias results in discrimination or data misuse

Category C: Unauthorized model training or data leakage from generative systems

Each category has a predefined response severity level and regulatory escalation path.

19. Forensic Investigation Protocol

In the case of high-impact breaches:

  • A certified third-party forensic investigation team will be engaged within 48 hours.

  • Chain-of-custody procedures will be followed for digital evidence.

  • A technical forensic report will be archived for regulatory inspection and legal defense.

20. Whistleblower & Anonymous Reporting Protection

Staff, vendors, and users can report potential breach cover-ups or negligent behavior via an anonymous escalation channel.

CliniciansCheck guarantees non-retaliation in accordance with global whistleblower protection standards.

This policy is enforceable globally and is part of the platform’s legally binding compliance framework. It is aligned with the WMA Declaration of Geneva, the WHO Global Code of Practice, the GDPR, HIPAA, the UK NHS AI Code of Conduct, and the EU AI Act.

CliniciansCheck maintains zero tolerance for data negligence, bias concealment, or breach non-disclosure. This policy reflects our commitment to protecting life-critical data and operating at the highest levels of ethical and legal integrity.