Health Copilot AI

Incident Response Policy

Our procedures for detecting, containing, and responding to security incidents involving customer data and platform systems.

Last Updated: November 14, 2025 Version 1.3

1. Overview and Definitions

This policy describes how Health Copilot AI responds to security incidents involving customer data or platform systems.

Security Incident: Actual unauthorized access to, use, or disclosure of Protected Health Information that compromises the security or privacy of such information.

2. Incident Response Principles

  • Rapid detection and response
  • Transparent customer communication
  • Evidence preservation for investigation and compliance
  • Impact minimization and rapid restoration
  • Regulatory coordination
  • Continuous improvement

3. Detection and Initial Response

3.1 Detection Methods

We detect potential Security Incidents through:

  • Automated security monitoring and alerting
  • Security information and event management (SIEM)
  • Threat intelligence integration
  • Customer or employee reports
  • Vulnerability scanning and testing
  • Audit log analysis

3.2 Initial Response

Upon detecting a potential Security Incident:

  1. Activate incident response team
  2. Begin initial assessment and scoping
  3. Implement immediate containment if necessary
  4. Preserve evidence and logs
  5. Escalate based on severity

4. Investigation and Assessment

We investigate to determine:

  • Nature and scope of the incident
  • Systems and data affected
  • Attack vector and root cause
  • Timeline of unauthorized access
  • Potential impact on customers and individuals

We collect and preserve evidence including system logs, network traffic, configuration files, and user activity records to support investigation, regulatory compliance, insurance claims, and law enforcement cooperation if applicable.

Incidents are classified by severity based on scope of affected data, sensitivity of information, number of affected parties, potential harm, regulatory considerations, and operational impact.

5. Containment and Remediation

5.1 Containment Measures

  • Isolating affected systems or networks
  • Blocking malicious traffic
  • Disabling compromised accounts
  • Revoking or rotating compromised credentials
  • Implementing additional access controls
  • Shutting down affected services if necessary

5.2 Eradication and Recovery

  • Removing malicious software or code
  • Closing exploited vulnerabilities
  • Patching affected systems
  • Rebuilding or restoring systems
  • Validating system integrity
  • Restoring data from backups if necessary
  • Monitoring for re-compromise

6. Customer Notification

6.1 Notification Timing

We notify affected customers without undue delay after confirming a Security Incident.

6.2 Notification Content

Customer notifications include reasonably available information:

  • Description of the Security Incident
  • Date of discovery and estimated timing of unauthorized access
  • Types of data or systems affected
  • Number of individuals potentially impacted (if known)
  • Actions we are taking
  • Resources or services we are providing (if applicable)
  • Contact information for questions
  • Timeline for further updates

6.3 Ongoing Updates

We provide updates during investigation and remediation based on incident complexity and progress.

7. Breach Assessment Support

We provide recommendations to customers regarding notification obligations based on our experience with HIPAA, state breach laws, and emerging regulations.

We may assist customers by analyzing:

  • Nature and scope of the incident
  • Types of information involved
  • Applicable regulatory frameworks
  • Industry breach response practices
  • Factors affecting breach determination

Customers retain ultimate responsibility for making breach determinations and compliance decisions under applicable privacy and data security laws.

8. Customer Coordination

We coordinate with customers regarding breach response, which may include:

  • Sharing information to support their assessments
  • Discussing notification timing and content
  • Coordinating on communication strategies
  • Supporting their regulatory obligations
  • Developing jointly-approved templates and communication plans where appropriate

Customers control final decisions regarding notifications to affected individuals and regulatory filings.

For healthcare applications, coordination addresses patient trust, care continuity, culturally appropriate communication for vulnerable populations, and stakeholder management. We recognize that uncoordinated or premature notifications can cause patient care disruptions, program disenrollment, and may violate law enforcement hold requirements.

9. Roles and Responsibilities

9.1 Health Copilot AI Responsibilities

  • Detecting and investigating Security Incidents
  • Containment and remediation
  • Notifying customers without undue delay
  • Providing recommendations and information to support customer assessments
  • Coordinating response efforts
  • Maintaining documentation
  • Implementing improvements

9.2 Customer Responsibilities

  • Making breach determinations and compliance decisions
  • Filing required regulatory reports
  • Notifying affected individuals per legal requirements
  • Managing affected individual inquiries
  • Coordinating with us on investigation and response
  • Providing information relevant to our investigation

10. Customer Incident Reporting

Customers may report suspected security concerns to:

Email: security@healthcopilotai.com
Portal: support.healthcopilotai.com (mark as security incident)

We will assess reported concerns and coordinate appropriate response.

11. Post-Incident Activities

After incident resolution, we:

  • Conduct post-incident review analyzing timeline, response effectiveness, and root cause
  • Identify security control gaps
  • Implement corrective actions including technical improvements, process enhancements, training updates, and policy revisions
  • Maintain documentation of incidents, investigations, actions taken, and improvements
  • May offer post-incident debrief sessions with customers for significant incidents

12. Incident Response Considerations

Investigation and resolution time varies based on technical complexity, scope, evidence availability, third-party dependencies, and legal considerations. We commit to working diligently and providing regular updates.

Information provided during incidents may be preliminary and subject to change as investigation proceeds.

For incidents originating from third-party providers, our visibility and control may be limited. We advocate on behalf of customers but cannot control third-party response timelines or procedures.

13. Insurance and Legal Considerations

Health Copilot AI maintains cybersecurity insurance. Incident response procedures preserve evidence and documentation for insurance claims, regulatory compliance, and law enforcement cooperation.

Aspects of incident investigation may be conducted under attorney-client privilege or protected as work product. We balance transparency with customers against need to maintain legal protections.

We may cooperate with law enforcement, which may affect notification timing, information disclosure, evidence handling, and communication strategies.

14. Continuous Improvement

We regularly review and update incident response procedures based on lessons learned, threat landscape changes, regulatory developments, and customer feedback. We periodically conduct tabletop exercises and response drills to test and improve procedures.

15. Policy Updates

We may update this incident response policy at any time to address evolving security threats, regulatory changes, lessons learned from incidents, or operational improvements.

Updates become effective when posted with a new version date. Your continued use of our services constitutes acceptance of the updated policy.

16. Contact Information

Security Incidents: security@healthcopilotai.com
Enterprise Customers: Your designated Customer Success Manager