AIS Exclusive: FBI Cyber Division Chief Offers Advice for CEs Dealing with Data Breaches in Wide-Ranging Interview

Share Article

In an exclusive, wide-ranging interview with Atlantic Information Services’ Report on Patient Privacy, John Riggi, chief of the Outreach Section of the FBI’s Cyber Division, describes how the FBI approaches organizations as “victims,” offers links and other resources for contacting the FBI, and suggests that covered entities establish a relationship with their local agency office in advance of a breach or problem.

In an exclusive, wide-ranging interview in the December 2015 issue of Atlantic Information Services, Inc.’s (AIS) Report on Patient Privacy, the chief of the Outreach Section of the Federal Bureau of Investigations’ (FBI) Cyber Division describes how the FBI approaches organizations as “victims,” offers links and other resources for contacting the FBI, and suggests that covered entities (CEs) establish a relationship with their local agency office in advance of a breach or problem. John Riggi, a 30-year FBI veteran, stresses that the FBI is “here to help” health care organizations in particular, as they are the most heavily targeted by hackers, he says. “Clearly, there have been some very highly publicized incidents and although the [number of breaches] may not be staggering, it is the volume and loss of data associated with some of these major health care breaches which has become a concern.”

Some of the advice Riggi provides in the interview includes:

  • On the services the FBI provides, Riggi says the agency would offer an “investigative response and a technical response where we would help the victim company....But if it’s a major breach...we’ve learned that the victim company needs more than just a technical response. And, in that sense, we also will dispatch attorneys from our Office of General Counsel to help them navigate how to deal with government and law enforcement [regarding] some of the many legal issues which could arise.” He also says that the FBI will dispatch agents to the victim company, provide media assistance and work out potential extensions to notify the U.S. Department of Health & Human Services Office for Civil Rights, patients and the media as required under Health Insurance Portability and Accountability Act (HIPAA).
  • On potential criminal or negligent behavior on behalf of the CE: “If we uncover criminal acts, [they] will be investigated. If there is evidence of a crime, we will pursue the evidence. Our primary role is to look at a victim company as a victim of a crime and to treat them as such.” Riggi stresses that the FBI will “always treat the victim companies as victims first, and so our job there is to assist them, not to find blame or lay blame on the cause of the intrusion.”
  • On establishing a relationship with the FBI: “We always stress to certainly major health care providers, whether it’s insurance or hospitals, to try to have a pre-existing relationship at least with their local FBI field office, and, simply, if they do become of a victim of intrusion, they’ll know who to call directly and immediately and kind of have that personal trust built up, and know what to expect.” Riggi also encourages CEs to join InfraGard, a nonprofit data-sharing organization representing the agency's partnership with the private sector.

Visit to read the interview in its entirety.

About Report on Patient Privacy
Report on Patient Privacy is the health industry’s #1 source of timely news and business strategies for safeguarding patient privacy and data security. Published for hospitals and other providers, health plans and other HIPAA-covered entities and business associates, the 12-page newsletter focuses on privacy issues that can result in huge fines, penalties and public relations nightmares, including: security breach notification; business associate relations and agreements; and new federal privacy rules for marketing, fundraising, privacy notices, minimum necessary, patient rights and safeguarding privacy in EHRs. Visit for more information.

About AIS
Atlantic Information Services, Inc. (AIS) is a publishing and information company that has been serving the health care industry for nearly 30 years. It develops highly targeted news, data and strategic information for managers in hospitals and health systems, health insurance companies, medical group practices, purchasers of health insurance, pharmaceutical companies and other health care organizations. AIS products include print and electronic newsletters, databases, Websites, looseleafs, strategic reports, directories, webinars and virtual conferences.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Jill Brown, Executive Editor
Follow >
since: 01/2011
Like >
Atlantic Information Services, Inc.

Visit website