Skip to main content
Knowledge · Data breach 7 min read Published March 2026

PII & PHI data breach review

Data breaches happen when information from a company is accessed or leaked without authorization. What it actually takes from your review team to report compliantly.

What counts as a reportable breach

Not every incident is a notifiable breach. The threshold varies by regulator, but the working definition most counsel use is: unauthorized access to records containing PII or PHI, where the information cannot be confirmed encrypted or otherwise unreadable.

What the review team actually does

The review team’s job in a breach is narrower and deeper than in litigation. They are extracting names, contact details, account numbers, dates, and sensitive attributes from documents that may be partially OCR’d, multilingual, or in unusual formats. The output is a structured notification list, not coded documents.

The three failure modes

  • Recall failure. Missing a person on the list is a regulatory and reputational risk. QC for breach prioritizes recall over precision.
  • Entity-resolution failure. The same person appears in 12 emails but only gets notified once. If your tooling can’t resolve, you’ll over- or under-notify.
  • Calendar failure. Most breach work fails on the deadline, not the substance. The fastest reviewers in the world don’t help if you start staffing on day 35 of a 60-day clock.

Talk to our breach team — most engagements scope in under 24 hours.

Have a breach review on your docket?

We staff and run breach reviews from notification through reporting. Talk to our team about your specific matter — most engagements scope in 24 hours.