Items marked with a diamond ♦ are required fields.

Submitter (Individual that completes and submits this Report)

Your Name & Contact Information	Prefix (Select One) ♦ First Name M.I. ♦ Last Name Job Title Employee ID Email (Format: username@domain.com) Phone Number (Preferred) Please include the area code, extension, and/or dialing codes if applicable. Phone Number (Alternative) Please include the area code, extension, and/or dialing codes if applicable.

Reporter (individual that discovered/notified McKesson of the incident).

Do not document internal notification chains within McKesson in this section, unless the incident was discovered internally.

	♦ Is the “Reporter” and the “Submitter” the same person? Yes No (Select One)

Reporter Name & Contact Information	♦ Relationship to McKesson (Select One) ♦ “Other” Relationship Prefix (Select One) ♦ First Name M.I. ♦ Last Name Job Title Employee ID Email (Format: username@domain.com) Phone Number (Preferred) Please include the area code, extension, and/or dialing codes if applicable. Phone Number (Alternative) Please include the area code, extension, and/or dialing codes if applicable.

Reporter Name &
Contact Information

♦

Relationship to McKesson

(Select One)

♦

“Other” Relationship

Prefix

(Select One)

♦

First Name

M.I.

♦

Last Name

Job Title

Employee ID

(Format: username@domain.com)

Phone Number (Preferred)

Please include the area code, extension, and/or dialing codes if applicable.

Phone Number (Alternative)

Please include the area code, extension, and/or dialing codes if applicable.

Discovery Date	♦ Discovery Date (the first and earliest date in which a McKesson employee or contractor was notified or made aware of the incident) “Discovery Date” may require further documentation, dependent upon additional details/nature of incident as reported below. (Format: mm/dd/yyyy)

Notification	Method – How did the Reporter notify McKesson of the incident? (Select One) Specify “Other” Method

Incident Location & Address

Location	Select the primary "Business Unit" affected from the list below to search for the incident location. ~ Business Unit (Select One) Look Up Clear ~ Sub Business Unit (Select One) ~ Location ~ Division (Select One)

Address	~ Street/Mailing Address ~ City ~ St./Province ~ Zip/Post Code ~ Country

Involved Business Units	♦ Does this incident involve more than one Business Unit? Yes No (Select One) ♦ Select all the Business Units that were involved. (Select all that apply) CORP GP/GS MCKCAN MMS CMM PSaS USON Additional Involved Business Units

Business Process /Product/Service	♦ Applicable McKesson Process/Product/Service affected

Incident Details (Additional Clarification)

Type of Issue/Incident	Type of Issue/Incident: (Select One)

Incident Classification (Additional Clarification)	Clear All ♦ This report concerns a potential unauthorized: (Select all that apply) Disclosure Use Access System or data integrity/availability

Incident Date	♦ Still Under Investigation Yes No (Select One) Date of the unauthorized disclosure, use, access or issue. (Format: mm/dd/yyyy)

Media	Clear All ♦ Indicate type of media: (Select all that apply) Unknown Paper – Misdirected mail Paper – Lost Paper Electronic / Digital ♦ Indicate type of media: Email Other data transfer (Select One) Define Other ♦ Was the media encrypted? Yes No (Select One) ♦ Was the media password protected? Yes No (Select One) Fax Verbal Physical Asset ♦ Indicate type of media: Phone Laptop Other portable electronic device Define Other Desktop Computer Network Server (Select One) Other ♦ Specify “Other”:

Media

Clear All

♦

Indicate type of media:

(Select all that apply)

Unknown

Paper – Misdirected mail

Paper – Lost Paper

Electronic / Digital

♦

Indicate type of media:

Email Other data transfer

(Select One)

Define Other

♦

Was the media encrypted?

Yes No

(Select One)

♦

Was the media password protected?

Yes No

(Select One)

Fax

Verbal

Physical Asset

♦

Indicate type of media:

Phone
Laptop
Other portable electronic device

Define Other

Desktop Computer
Network Server

(Select One)

Other

♦

Specify “Other”:

Error Type (Additional Clarification)	♦ What was the cause of the error? Human Technical Human & Technical Unknown (Select One)

Incident Description	♦ Provide a summary of the incident (e.g. what, where, when, how and why) and any other relevant details. (Names of McKesson Employees should be followed by job titles/departments, as needed.)

Information About	Clear All ♦ What information does this concern? (Select all that apply) + Add McKesson Customer/Client (Select all that apply) ♦ Type: Company ♦ Company Name (If multiple companies affected, enter “Multiple Companies)” Employee ♦ Employee First & Last Name (If multiple employees affected, enter “Multiple Employees”) Patient ♦ Patient First & Last Name (If multiple patients affected, enter “Multiple Patients”) McKesson (Select all that apply) ♦ Type: Company ♦ Company Name (If multiple companies affected, enter “Multiple Companies)” Employee ♦ Employee First & Last Name (If multiple employees affected, enter “Multiple Employees”) Patient ♦ Patient First & Last Name (If multiple patients affected, enter “Multiple Patients”) Other ♦ Specify “Other”: (Please provide as much detail as possible, including but not limited to; names, contact information, account numbers, etc.)

Information About

Clear All

♦

What information does this concern?

(Select all that apply)

+ Add

McKesson Customer/Client

(Select all that apply)

♦

Type:

Company

♦

Company Name

(If multiple companies affected, enter “Multiple Companies)”

Employee

♦

Employee First & Last Name

(If multiple employees affected, enter “Multiple Employees”)

Patient

♦

Patient First & Last Name

(If multiple patients affected, enter “Multiple Patients”)

McKesson

(Select all that apply)

♦

Type:

Company

♦

Company Name

(If multiple companies affected, enter “Multiple Companies)”

Employee

♦

Employee First & Last Name

(If multiple employees affected, enter “Multiple Employees”)

Patient

♦

Patient First & Last Name

(If multiple patients affected, enter “Multiple Patients”)

Other

♦

Specify “Other”:

(Please provide as much detail as possible, including but not limited to; names, contact information, account numbers, etc.)

What Information	Clear All ♦ Which data elements were disclosed, used, accessed, or otherwise affected. (Select all that apply) Unknown Name Address Email Address Phone Number Diagnosis/Procedure Info. Drivers License Medical Record Number Biometric Identifier Social Security Number Date of Birth Account Number Insurance Info. Credit Card Number Payment Information Service Dates Health Care Provider / Client Info. Bank Account Number Other Financial Information Explain Medication Lab Results Claim Form Explanation of Benefits McKesson Confidential Information User Name/Password Common Patient Record ID (specific to McK) Still Under Investigation Other ♦ Specify “Other”: Are any of the data elements considered sensitive information? (Select all that apply) HIV/AIDS Status Mental/Behavioral Health Alcohol/Substance Abuse Genetic Geolocation Information EU Specific Race/Ethnicity EU Specific Sexual Orientation EU Specific Trade Union Membership Other ♦ Specify “Other”:

What Information

Number Affected	♦ What is/are the total number of records affected? (Complete one option) - or - Still Under Investigation (Whole Numbers Only) ♦ What is/are the total number of individuals affected? (Complete one option) - or - Still Under Investigation (Whole Numbers Only)

Country(ies) of Residence	♦ Do you know the country(ies) of residence of the people affected by the incident? Yes Still Under Investigation N/A (Select One) ♦ Indicate country(ies) affected by the incident (Select all that apply) United States Canada Mexico European Union (Select this option if any country within the European Union is a “Country of Residence”.) Other ♦ Specify “Other”:

State(s) of Residence (United States)	♦ Do you know the State(s) of residence of the people affected by the incident and the number of people involved within each State? Yes Still Under Investigation N/A (Select One)

	Clear All ♦ Indicate affected State(s) and number of people affected within each State. (Select all that apply) N/A (Not Applicable or Not Available)

Recipient (if a potential disclosure)	♦ Is the Recipient a Covered Entity? Yes (e.g. Hospital, Health Plan/Payer, Pharmacy, Clearinghouse, Physician, etc.) No (e.g. Bank, Retail Store, Attorney’s office, Pharmaceutical or Other Manufacturer, etc.) Unknown N/A (e.g., not a disclosure issue) (Select One) ♦ Is the Recipient a Business Associate of McKesson? Yes (e.g. Vendor, Supplier, Business Partner, etc.) No Unknown N/A (e.g., not a disclosure issue) (Select One) Clear All ♦ Recipients' Relationship to McKesson: (Select all that apply) McKesson Client/Customer(s) ♦ Whom? (Please Provide Name(s)) McKesson Employee(s) ♦ Whom? (Please Provide Name(s)) McKesson Contractor(s) ♦ Whom? (Please Provide Name(s)) Other ♦ Other Entity? (Please Provide Name(s)) Still Under Investigation N/A

Recipient
(if a potential disclosure)

♦

Is the Recipient a Covered Entity?

Yes (e.g. Hospital, Health Plan/Payer, Pharmacy, Clearinghouse, Physician, etc.)
No (e.g. Bank, Retail Store, Attorney’s office, Pharmaceutical or Other Manufacturer, etc.)
Unknown
N/A (e.g., not a disclosure issue)

(Select One)

♦

Is the Recipient a Business Associate of McKesson?

Yes (e.g. Vendor, Supplier, Business Partner, etc.)
No
Unknown
N/A (e.g., not a disclosure issue)

(Select One)

Clear All

♦

Recipients' Relationship to McKesson:

(Select all that apply)

McKesson Client/Customer(s)

♦

Whom?

(Please Provide Name(s))

McKesson Employee(s)

♦

Whom?

(Please Provide Name(s))

McKesson Contractor(s)

♦

Whom?

(Please Provide Name(s))

Other

♦

Other Entity?

(Please Provide Name(s))

Still Under Investigation

N/A

Individual(s) / Entity(ies) Responsible ()	+ Add ♦ Name of Individual(s)/entity(ies) who caused the disclosure, use or access and/or other issue(s)? « » + ■ x 0. Unnamed Participant ♦ Relationship to McKesson (Select One) ♦ “Other” Relationship Prefix ♦ First Name (Enter “N/A” if Business/Entity) M.I. ♦ Last Name(or Business Name) Job Title Employee ID Email (Format: username@domain.com) Phone Number (Preferred) Please include the area code, extension, and/or dialing codes if applicable. Phone Number (Alternative) Please include the area code, extension, and/or dialing codes if applicable.

Individual(s) / Entity(ies) Responsible ()

+ Add

♦

Name of Individual(s)/entity(ies) who caused the disclosure, use or access and/or other issue(s)?

Unnamed Participant

♦

Relationship to McKesson

(Select One)

♦

“Other” Relationship

Prefix

♦

First Name

(Enter “N/A” if Business/Entity)

M.I.

♦

Last Name(or Business Name)

Job Title

Employee ID

(Format: username@domain.com)

Phone Number (Preferred)

Please include the area code, extension, and/or dialing codes if applicable.

Phone Number (Alternative)

Please include the area code, extension, and/or dialing codes if applicable.

Corrective Actions & Mitigation

Corrective Action (Additional Clarification)	♦ Corrective Action for Responsible Individual(s) and/or Entity(ies) (Provide details including who provided (name & title) and when). Also include details regarding names/dates of ER involvement, if responsible individuals are McKesson employees. ♦ Corrective Action addressing System Issues (such as implementing new Policies/Procedures, amending existing Policies/Procedures and/or Technical fixes such as software patches with implementation dates, if applicable). ♦ Corrective Actions Implemented to Address (Select One)

Corrective Action
(Additional Clarification)

♦

Corrective Action for Responsible Individual(s) and/or Entity(ies) (Provide details including who provided (name & title) and when). Also include details regarding names/dates of ER involvement, if responsible individuals are McKesson employees.

♦

Corrective Action addressing System Issues (such as implementing new Policies/Procedures, amending existing Policies/Procedures and/or Technical fixes such as software patches with implementation dates, if applicable).

♦

Corrective Actions Implemented to Address

(Select One)

Returned or Destroyed Information (if a potential disclosure)	♦ Has a request been made to return or destroy the information? Yes No Unknown N/A (e.g. not a disclosure issue) (Select One) ♦ Type of Request Verbal Written (Select One) ♦ Date (Format: mm/dd/yyyy) ♦ Was the information (original documents) returned or destroyed? Yes No Unknown N/A (e.g. not a disclosure issue) (Select One) ♦ Type of confirmation Verbal Written (Select One) ♦ Date (Format: mm/dd/yyyy)

Returned or Destroyed Information (if a potential disclosure)

♦

Has a request been made to return or destroy the information?

Yes No Unknown N/A (e.g. not a disclosure issue)

(Select One)

♦

Type of Request

Verbal Written

(Select One)

♦

Date

(Format: mm/dd/yyyy)

♦

Was the information (original documents) returned or destroyed?

Yes No Unknown N/A (e.g. not a disclosure issue)

(Select One)

♦

Type of confirmation

Verbal Written

(Select One)

♦

Date

(Format: mm/dd/yyyy)

Mitigation Efforts	What was done and when to mitigate exposure and risk?

Acknowledgement

	Enter a name for your case that can be used to cross reference from within the case management system. This will assist the review team in referencing the case in the event you need to follow-up with them.
Case Name (Additional Clarification)	♦ Case Name ( 8-50 Characters )

	♦ Acknowledgement
Acknowledgement	I acknowledge that the information contained in this form is true and accurate to the best of my knowledge and belief as of today.

Follow-Up & Password

Follow-Up	After you submit this report you will be issued a 10-digit “Report Key”. Using this report key you will be able to access the Follow-Up functionality of this report. Follow-Up will allow you to: Upload/Attach documents to this report Respond to follow-up questions/comments Provide additional information

Password	Create a password to access the Follow-Up functionality of this report. ♦ Password ♦ Re-Enter Password (Passwords must be at least four(4) characters in length.)

Data Privacy Report Form

Statement of Purpose

Submitter (Individual that completes and submits this Report)

Reporter (individual that discovered/notified McKesson of the incident).

Do not document internal notification chains within McKesson in this section, unless the incident was discovered internally.

Incident Location & Address

Incident Details (Additional Clarification)

Corrective Actions & Mitigation

Acknowledgement

Follow-Up & Password