Unfortunately it is not quite as simple as reporting breaches.
Our local Blue Shield’s web site was hacked. The only reason they found out was because with Anthem being hacked previously, realizing that they may have targeted as well; they hired a security company, who confirmed that the hack occurred 2 years previously.
Then it’s a matter whether the breaches were reported in a timely fashion & in compliance with HIPAA guidelines.
It’s not merely notifying the feds. All patients will have to be notified as well. Our local Blue Shield was required to send letters to everyone who was ever covered by them, including spouses & dependent children. I received 5 different letters, despite being the same insured, because I had 5 different policies over the years with them.
Physicians in small practices don’t have the same resources as insurers. Their best defense is to limit the online traffic as much as possible.
Why talk about what to do after the horse is out of the barn? Better to be certain that the barn door has been closed in the first place. In this case, a good defense is just that.