Breach Notification Policy
- Effective
- 2 June 2026
- Last updated
- 2 June 2026
- Version
- v1
This policy describes how OGA Careidentifies, classifies, escalates, and notifies stakeholders of security and personal-data incidents affecting the Services. It supports our obligations under applicable law, including India’s Digital Personal Data Protection Act, 2023, the CERT-In Directions (2022), the GDPR / UK GDPR, and HIPAA (for US Covered-Entity Customers under a BAA).
1. Purpose and Scope
The policy applies to any actual or reasonably suspected breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data or PHI processed through the Services.
2. Incident Identification
- Incidents may be detected by monitoring and alerting, audit-log review, or reports from staff, customers, researchers, or sub-processors.
- Anyone who suspects an incident must report it immediately to the security team (see Section 9).
- On report, an on-call responder triages the issue and opens an incident record.
3. Severity Classification
| Severity | Description | Examples |
|---|---|---|
| Critical (SEV-1) | Confirmed unauthorised access to PHI / large-scale Personal Data, or major service compromise. | Database exfiltration; ransomware affecting patient data. |
| High (SEV-2) | Likely breach affecting a limited set of records, or a serious vulnerability under active threat. | Mis-scoped access exposing one tenant’s data; credential compromise. |
| Medium / Low (SEV-3/4) | Contained issues with no confirmed data exposure, or near-misses. | Blocked intrusion attempt; isolated misconfiguration with no access. |
4. Internal Escalation
- The on-call responder classifies severity and assembles the incident-response team.
- For SEV-1 / SEV-2, security leadership, engineering leadership, and the privacy/legal contact are notified without delay.
- The team contains the incident, preserves evidence, and begins assessment of scope and affected parties.
- A designated incident lead coordinates communications and the notification decisions below.
5. Notification Timelines
The following target timelines apply once an incident is confirmed (or reasonably suspected, where the law requires earlier action):
- Internal escalation to leadership: within 24 hours of confirmation.
- CERT-In (India) reportable cyber incidents: within 6 hours of detection, as required by the CERT-In Directions.
- Data-protection regulator(s): as soon as feasible and within 72 hours of becoming aware, where the breach is notifiable (e.g. GDPR Art. 33).
- Affected users / Customers: without undue delay and within 30 days where notification to individuals is required.
- HIPAA (US, under a BAA): no later than 60 days, and per the terms of the applicable BAA.
Where OGA Care acts as a processor, we notify the affected Customer (controller) so it can meet its own notification obligations, and we provide reasonable assistance. See the Data Processing Agreement.
6. User Communication Process
- Notifications describe, to the extent known, the nature of the incident, the data involved, likely consequences, and the steps taken and recommended.
- We provide a point of contact for questions and publish updates as the investigation progresses.
- Communications are reviewed by legal before release to ensure accuracy and compliance.
7. Regulator Notification Process
The incident lead, with legal, determines which regulators must be notified based on the data involved and the affected jurisdictions, prepares the required submissions, and tracks each authority’s acknowledgements and follow-up requests.
8. Logging and Forensic Requirements
- Security-relevant events and access to sensitive records are logged with tamper-resistant, append-only storage.
- On an incident, relevant logs and artefacts are preserved for forensic analysis and to meet retention obligations (CERT-In requires retention of logs for a rolling period).
- A post-incident review documents root cause, impact, and corrective actions, which feed back into our controls.
9. Report an Incident
To report a suspected security incident or vulnerability, email support@ogacare.in. Privacy-specific concerns may also be directed to support@ogacare.in or our Grievance Officer.