Data Breach Notification Policy

1. Purpose and Scope

This Data Breach Notification Policy ("Policy") establishes procedures and requirements for AidiN Health and its Business Associates to notify individuals, the U.S. Department of Health and Human Services (HHS), and media outlets of breaches of Unsecured Protected Health Information (PHI) in compliance with the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules (45 CFR Parts 160 and 164).

AidiN Health is a HIPAA-covered entity and provides a Software-as-a-Service (SaaS) platform for claim denial prevention and revenue cycle management for healthcare providers, laboratories, and B2B companies. This policy applies to all employees, contractors, and Business Associates who have access to PHI.

2. Definitions

Breach: The unauthorized acquisition, access, use, or disclosure of PHI which compromises the security or privacy of such information except where an exception applies.

Unsecured PHI: Protected Health Information that is not secured through encryption or destruction in accordance with NIST standards and HHS guidance.

Security Incident: Events such as unauthorized access, use, disclosure, modification, or destruction of PHI, as well as loss of availability of PHI.

Covered Entity: AidiN Health, including all workforce members and agents acting on its behalf, subject to HIPAA regulations.

Business Associate: Any person or organization (other than a member of the workforce) that creates, receives, maintains, or transmits PHI on behalf of a covered entity.

Protected Health Information (PHI): Any information in a medical record or health plan concerning past, present, or future physical or mental health condition, health care provision, or payment for health care that can be linked to an individual.

3. Breach Risk Assessment

Upon discovery of a potential breach or security incident, AidiN Health shall conduct a prompt risk assessment using the four-factor test outlined in 45 CFR 164.402(b) to determine whether notification is required:

Nature and Extent of PHI Involved

Assessment of the volume of PHI accessed, types of data (names, SSNs, medical record numbers, financial information), and the sensitivity of the information involved.

Unauthorized Person Who Used or Accessed PHI

Identification of the nature and extent of involvement of the unauthorized person, whether they were an internal actor, external threat, or other party. Assessment of whether the person actually used or viewed the PHI.

Whether PHI Was Actually Acquired or Viewed

Determination of whether the unauthorized person actually had possession of PHI, viewed it, or merely had the capability to do so. Technical evidence, such as access logs and activity monitoring, shall be reviewed.

Extent to Which Risk Has Been Mitigated

Assessment of whether remedial measures have been implemented, including recovery of the information, confirmation that the unauthorized person did not acquire the information, implementation of new safeguards, or other factors that reduce the likelihood of harm.

4. Notification Requirements

Individual Notification

If a breach is determined to have occurred, AidiN Health shall notify affected individuals without unreasonable delay and in no case later than 60 calendar days after discovery. Notification shall be provided in writing by first-class mail, electronic mail (if the individual has consented), or by other means if electronic or mail notification is infeasible.

HHS Notification

• For breaches affecting 500 or more residents of a State or jurisdiction: Notification shall be made immediately to prominent media outlets serving the State or jurisdiction.
• For breaches affecting fewer than 500 individuals: Notification shall be provided to the HHS Office for Civil Rights (OCR) via the breach portal at least annually.

Media Notification

If a breach affects 500 or more residents of a State or jurisdiction, AidiN Health shall notify prominent media outlets serving the affected State or jurisdiction without unreasonable delay.

Business Associate Notification

If a Business Associate becomes aware of a breach of Unsecured PHI maintained on behalf of AidiN Health, the Business Associate shall notify AidiN Health without unreasonable delay and in no case later than 30 days after discovery.

5. Content of Breach Notification

Each notification to individuals shall include, to the extent known or reasonably available:

• Description of what happened, including the date of the breach and the date of discovery
• Types of information involved in the breach
• Steps affected individuals should take to protect themselves, including guidance on credit monitoring and identity theft protection
• What AidiN Health is doing to investigate the breach, mitigate harm, and prevent recurrence
• Contact information for AidiN Health, including the Privacy Officer at privacy@aidin.health

6. Methods of Notification

• Written Notice: First-class mail to the last known address on file
• Electronic Notice: Email to the individual's email address on file if consented
• Substitute Notice: If written or electronic notice is infeasible, notice via telephone, local media, or posting on the company website
• Posting on Website: For breaches affecting a large number of individuals, notice may be posted prominently on AidiN Health website

7. Breach Response Procedures

Incident Identification and Containment

Upon discovery of any actual or suspected security incident, AidiN Health shall immediately notify the Privacy Officer and Security team. The team shall work to contain the incident, including isolating affected systems, disabling compromised credentials, and preventing further unauthorized access.

Investigation and Documentation

A comprehensive investigation shall be conducted to determine the scope, timeline, affected individuals, and nature of PHI involved. Findings shall be documented in a breach investigation report.

Risk Assessment

The risk assessment shall be completed in accordance with Section 3 of this Policy. The Privacy Officer shall document the four-factor analysis and the determination as to whether notification is required.

Notification Decisions

Following completion of the risk assessment, the Privacy Officer shall determine whether notification is required and shall prepare notification content. Legal counsel may be consulted.

Remediation and Mitigation

Following notification, AidiN Health shall implement corrective actions to prevent recurrence, which may include enhanced access controls, encryption, employee training, or modifications to security procedures.

8. Documentation and Record Keeping

AidiN Health shall maintain detailed documentation of all suspected breaches, security incidents, and notification activities. Records shall be retained for a minimum of six (6) years in accordance with HIPAA requirements.

9. Training and Awareness

AidiN Health shall conduct annual security awareness training for all workforce members and Business Associates who have access to PHI.

10. Exceptions to Breach Definition

A breach will not be found to have occurred if the entity demonstrates that the individual to whom the PHI was disclosed had a good faith belief that the unauthorized person would not have acquired the information. Exceptions include:

• Unintentional Acquisition: When an unauthorized person unintentionally acquires PHI but has no reasonable ability to use the information
• Inadvertent Disclosure: When an authorized person inadvertently discloses it to another authorized person
• Good Faith Belief: When the individual to whom the information is disclosed had good faith belief that the unauthorized person would not use or further disclose the information

11. Law Enforcement Delay

If a law enforcement agency determines that notification would impede an authorized investigation, AidiN Health may delay notification for the period requested. AidiN Health shall document all law enforcement delays.

12. State Law Requirements

AidiN Health recognizes that certain States have enacted data breach notification laws that may impose additional requirements beyond HIPAA. To the extent a state law imposes more stringent requirements, AidiN Health shall comply with such state law.

13. Sanctions for Violations

AidiN Health shall impose appropriate sanctions against any workforce member or Business Associate who fails to comply with this Policy. Sanctions may include disciplinary action, up to and including termination.

14. Contact Information

This Data Breach Notification Policy is effective as of February 6, 2026 and is subject to change.