Comparison · Privacy

Breach vs Security Incident

A Security Incident is the attempted or successful unauthorized access to a system. A Breach is a more specific finding — unauthorized acquisition of unsecured PHI that requires notification.

Last reviewed May 24, 2026

Side by side

Option A

Security Incident

The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.

45 CFR 164.304
  • Defined at 45 CFR 164.304.
  • Must be logged; significant incidents must be responded to per the entity's incident response procedures.
  • Every breach is a security incident; not every security incident is a breach.
Option B

Breach

The acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule which compromises the security or privacy of the PHI.

45 CFR 164.402
  • Defined at 45 CFR 164.402.
  • Presumed unless the entity demonstrates low probability of compromise via a 4-factor risk assessment.
  • Triggers 45 CFR 164.404 (individual notice) and 164.408 (HHS notice).
Citation
Incident45 CFR 164.304
Breach45 CFR 164.402
Notification trigger
IncidentInternal logging and response
BreachIndividual + HHS (+ media if ≥500)
Test
IncidentAny attempted or successful unauthorized access
BreachUnsecured PHI was acquired/accessed/used/disclosed AND a 4-factor risk assessment does not demonstrate low probability of compromise
Time window
IncidentPer the entity's incident response policy
Breach60 days from discovery for individual notice; concurrent for HHS if ≥500

When to use Security Incident

  • Failed login attempts, malware detection, suspicious port scan — log as a security incident; investigate per IR plan.

When to use Breach

  • Lost unencrypted laptop containing ePHI, ransomware that exfiltrated PHI, misdirected fax of patient record — apply 4-factor risk assessment; presume breach unless low probability is demonstrated.

Common mistakes

  • Treating every security incident as a breach (over-reporting).
  • Treating an incident as not a breach without conducting and documenting the 4-factor risk assessment.
  • Missing the 60-day individual-notice clock — it starts at discovery, not at investigation close.

Sources

Take it into the workspace

Run the 4-factor assessment in the SRA readiness check

Open sra studio
Authored by D3rx

D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.

Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.

This comparison is a research aid for billing and compliance staff. It does not provide legal, medical, or financial advice and does not replace counsel. References cited link to primary sources at CMS, HHS, OCR, eCFR, NIST, and the relevant payer or state regulator. Last reviewed May 24, 2026.