OGC
Act Immediately

Someone Clicked a Suspicious Link

An employee clicked a phishing email — what happens now?

Move Fast — The First Hour Matters Most

A clicked phishing link can range from completely harmless to the beginning of a major breach. You won't know which until you investigate — but while you're investigating, you need to contain the damage. Every minute the attacker has access to credentials or systems, the exposure grows.

Step 1: Isolate the Device Immediately

If the employee clicked a link that may have downloaded malware or executed a script, the device needs to be isolated from the network immediately:

  1. Disconnect the device from Wi-Fi (turn off Wi-Fi in settings or physically disconnect from ethernet)
  2. Do NOT turn the device off — malware forensics are easier on a running machine, and shutdown can sometimes trigger additional malicious activity
  3. Hand the device to IT or set it aside untouched pending IT review
  4. If you suspect ransomware is already active (files are encrypting), then shutting down immediately to limit spread may be warranted — coordinate with IT

Step 2: Change Passwords Immediately

If the employee entered any credentials on a phishing page (or even if they didn't — attackers can capture credentials via drive-by malware), change passwords now:

  • Change the employee's email password from a different, clean device
  • Change passwords for any systems the employee is logged into (EHR, portal, cloud services)
  • Revoke all active sessions from those systems ("sign out all devices")
  • If the employee uses the same password elsewhere, change those too
  • Enable multi-factor authentication on all accounts if not already active

Step 3: Don't Forward the Email

It may be tempting to forward the phishing email to colleagues as a warning — don't. Forwarding it spreads the threat and may result in others clicking the link. Instead:

  • Report the email using your email provider's built-in phishing report feature
  • Forward a copy to IT or your security team only, using "forward as attachment" to preserve headers without activating any embedded content
  • Keep the original in the employee's inbox (don't delete it yet — it's evidence)

Step 4: Report to IT and Your Privacy Officer

This needs to be on both IT's radar and your Privacy Officer's radar simultaneously:

  • IT: Needs to conduct forensic analysis of the device, scan for malware, review network logs for suspicious outbound connections, and determine if any systems were compromised
  • Privacy Officer: Needs to assess whether ePHI was accessible from the compromised account or device and determine whether this constitutes a reportable breach

Step 5: Assess ePHI Exposure

Work with IT to answer these questions:

  • Did the phishing link lead to credential harvesting? Were the employee's credentials submitted to an attacker-controlled site?
  • Was the employee's email account accessed by an unauthorized party? (Check email forwarding rules, login history, sent items)
  • Does the compromised email account contain PHI in messages or attachments?
  • Did any malware execute on the device? If so, what data was on or accessible from the device?
  • Were any PHI systems accessible via the compromised account (EHR, patient portal, billing system)?

Step 6: Breach Risk Assessment

Based on IT's findings, your Privacy Officer must conduct a four-factor risk assessment. If credentials were compromised and PHI was accessible, this likely meets the definition of a breach and notification obligations apply.

Step 7: Staff Awareness (Without Creating Panic)

Once the immediate threat is contained, it's appropriate to alert staff — without naming the individual who clicked:

  • Send a brief all-staff notice that a phishing email may be circulating
  • Describe the general characteristics (subject line pattern, sender domain pattern) without reprinting the phishing URL
  • Remind staff not to click links in unexpected emails and how to report suspicious messages

Preventing the Next One

  • Implement or reinforce phishing simulation training — regular simulated phishing tests dramatically reduce click rates
  • Enable email filtering and anti-phishing tools at the mail server level
  • Enforce MFA on all PHI-accessible systems so that even compromised passwords don't give attackers access
  • Establish a clear, easy process for employees to report suspicious emails without fear of embarrassment

Related Guides

Act Immediately

Ransomware Attack Response

Our systems are locked — step-by-step ransomware response.

Read Guide
Act Immediately

Employee Lost a Device with ePHI Access

An employee lost a laptop or phone that had access to patient data.

Read Guide
Act Immediately

Did I Just Witness an Incident?

I saw something that might be a breach — what do I do?

Read Guide
Back to all guides