Incident Response
Incident Response Plan
Section titled “Incident Response Plan”AlignSure maintains a documented incident response plan covering:
- Identification — Detection of potential security incidents through monitoring and alerting
- Containment — Immediate actions to limit the scope and impact of the incident
- Eradication — Removal of the threat and remediation of vulnerabilities
- Recovery — Restoration of normal operations with verification
- Post-Incident Review — Root cause analysis and process improvements
Breach Notification
Section titled “Breach Notification”In the event of a security incident involving PHI:
- Customer notification — Within the timeframes required by HIPAA (no later than 60 days from discovery)
- Content — Description of the incident, types of information involved, steps taken, and recommended mitigation
- Ongoing updates — Continued communication throughout investigation and remediation
AlignSure also complies with applicable state breach notification laws, which may require shorter notification windows.
Reporting a Security Concern
Section titled “Reporting a Security Concern”If you discover a potential security issue:
- Email: security@alignsure.com
- Include a description of the concern and any supporting information
- Do not include PHI in your report
Customer Responsibilities
Section titled “Customer Responsibilities”Under the shared responsibility model:
- AlignSure secures the platform infrastructure, application, and data at rest
- Customers are responsible for managing their Microsoft Entra ID tenant security, including MFA enforcement, Conditional Access policies, and user lifecycle management
- Customers should report suspected unauthorized access promptly