Breach Policy

1. What counts as a breach

A breach is any acquisition, access, use, or disclosure of protected health information that is not permitted under our privacy policy and that compromises the security or privacy of that information. Examples:

• An unauthorized person gains access to your child's screening answers or uploaded video.
• A vendor we use (Supabase, Resend, Twilio, Anthropic, etc.) discloses that they had a breach affecting our data.
• A laptop or device containing PHI is lost or stolen.
• An employee or contractor accesses information beyond what their role requires.
• Credentials (API keys, passwords) are compromised.

Internal incidents that are contained before any PHI leaves our perimeter (e.g., a typo that briefly exposed data only to an authenticated parent who already had access) are documented but typically don't require notification.

2. What we do when a breach occurs

1. Stop the bleeding. Identify the vector and patch immediately. Rotate compromised credentials within an hour.
2. Capture forensics. Snapshot the database, capture logs, export audit + disclosure log entries for the affected time window — before any cleanup.
3. Determine scope. Whose records were affected, what categories of information were exposed, whether the data left our perimeter, whether the exposure is ongoing.
4. Engage counsel if any exposure is confirmed.
5. Notify affected parents in writing as soon as practicable. For Massachusetts residents: within the timeframe required by M.G.L. ch. 93H. For other states: per that state's breach notification statute. Counsel coordinates non-MA notice.
6. Notify regulators. Massachusetts Attorney General and the MA Office of Consumer Affairs and Business Regulation for MA residents. Comparable state regulators for other states. We're not a HIPAA covered entity so federal §164.404 does not apply.
7. Provide remediation. Depending on what was exposed: identity-protection credit monitoring (paid by us), free record export, refunds, free re-issuance of clearances if integrity was affected.
8. Document everything internally for forensic + legal review.
9. Update prevention infrastructure. Add a CI check, alert, or code constraint that prevents the same class of incident from recurring.

3. What the notification letter contains

Per Massachusetts statute (and most other state laws), the written notification you receive will include:

• What happened, in plain language.
• When it happened (date range).
• What categories of your child's information were involved.
• What we're doing in response.
• What you can do (credit freeze, monitoring, contacting us).
• Our contact info for questions.
• The fact that we have notified state regulators.

4. Clinical integrity breaches

If the breach affects the integrity of the medical record itself — for example, a bug that corrupted screening answers, or an unauthorized actor modifying a chart — we additionally:

• Restore from Supabase point-in-time recovery to the latest pre-incident state.
• Notify affected parents within 24 hours regardless of state-statute timing (this is a clinical safety matter, not just a privacy one).
• Mark the affected clearance PDFs as stale so the public verify endpoint returns "Under Review" until a corrected clearance is re-issued.
• Reach out by phone for cases where ongoing clinical care is implicated.

5. Drills + readiness

We run a quarterly tabletop drill of this protocol — picking a plausible scenario (vendor breach, credential compromise, chart-integrity bug, Sentry leak) and walking through the response without actually deploying. Gaps identified are written up and addressed.

6. Our limits

SportSlip is a small operation — one physician (Dr. Kawalek), one engineering team. Our breach response is faster and more direct than a hospital's, but it's also less institutionally robust. If you have specific concerns about how a hypothetical breach would be handled, we're happy to walk through the playbook in detail — email adam@sportslip.co.

7. Contact

Incident or breach concerns: adam@sportslip.co. Phone (833) 549-6401.