Skip to main content

Breach Notification Plan

Last updated: April 2026

Purpose

This document describes how KRUUSH, operated by Kruush Wellness LLC ("Company"), responds to a breach of unsecured consumer health data. This plan is maintained in compliance with the FTC Health Breach Notification Rule (16 CFR Part 318, as amended July 29, 2024) and applicable state breach notification laws.

Scope

This plan covers any unauthorized acquisition of, or unauthorized access to, unsecured personally identifiable health information maintained by KRUUSH. This includes:

  • Account-linked health data: Vibe Check tracker entries, quiz results, screening records, experiment logs, and community health posts tied to a user account
  • Email subscriber data: Email addresses collected through newsletter signups, quiz result downloads, or community waitlist forms
  • Research subscriber data: Email addresses linked to research study participation

Not in scope: Anonymous research survey data (collected without any personal identifiers, session hashes cannot be linked to individuals) and aggregate statistical data. These cannot be used to identify any individual and therefore do not constitute a breach of identifiable health information.

Incident Response Team

The following roles are responsible for breach response:

  • Incident Lead: Amber Farr-Jaffe, Founder and CEO. Responsible for all breach response decisions, notifications, and communications.
  • Technical Lead: Platform infrastructure team. Responsible for containment, forensic investigation, and remediation.
  • Legal Counsel: External counsel (to be engaged upon breach discovery). Responsible for regulatory notification compliance and legal risk assessment.

Step 1: Discovery and Containment

Upon discovery or report of a potential breach:

  • Document the date and time of discovery (this starts the 60-day notification clock)
  • Immediately contain the breach: revoke compromised credentials, isolate affected systems, block unauthorized access
  • Preserve all evidence and logs for forensic analysis
  • Determine the scope: what data was accessed, how many individuals are affected, what types of health information are involved

Step 2: Investigation

Within 72 hours of discovery:

  • Identify the cause and method of the breach
  • Determine the exact categories of health data involved
  • Identify all affected individuals by cross-referencing database records
  • Determine whether any third parties acquired the data
  • Assess whether the data was encrypted at the time of breach (encrypted data is exempt from notification under the Rule)
  • Engage external legal counsel for regulatory guidance

Step 3: Notification to Affected Individuals

Within 60 calendar days of breach discovery, and without unreasonable delay, KRUUSH will notify all affected individuals. The notice will include:

  • A brief description of what happened, including the date of the breach (if known) and the date of discovery
  • The types of health information involved (e.g., symptom tracker data, quiz results, email addresses)
  • The identity of any third parties who acquired the data
  • Steps the individual can take to protect themselves
  • A description of KRUUSH's investigation and what we are doing to prevent future incidents
  • Contact information with at least two methods: email ([email protected]) and a dedicated toll-free phone number

Method of notice: Email to the affected individual's email address on file. If email is not available or bounces for 10 or more individuals, substitute notice will be posted prominently on kruush.me for 90 consecutive days with a toll-free phone number active for at least 90 days.

Reference: FTC Health Breach Notification Rule, 16 CFR 318.4(a)

Step 4: Notification to the FTC

KRUUSH will notify the Federal Trade Commission via the Notice of Breach of Health Information online form:

  • 500 or more individuals affected: Notification to the FTC at the same time as individual notices, within 60 calendar days of discovery
  • Fewer than 500 individuals affected: Notification to the FTC within 60 calendar days following the end of the calendar year in which the breach was discovered

Reference: FTC Health Breach Notification Rule, 16 CFR 318.4(c)

Step 5: Notification to Media (If Applicable)

If the breach affects 500 or more residents of a single state or U.S. territory, KRUUSH will notify prominent media outlets serving that state within 60 calendar days of discovery, without unreasonable delay.

Reference: FTC Health Breach Notification Rule, 16 CFR 318.4(d)

Step 6: Remediation

Following containment and notification:

  • Implement technical fixes to prevent recurrence
  • Review and update access controls, encryption standards, and monitoring
  • Conduct a post-incident review and document lessons learned
  • Update this Breach Notification Plan if gaps are identified
  • Offer affected individuals resources for identity protection if personal identifiers were involved

Data Security Measures

KRUUSH maintains the following security measures to prevent breaches:

  • Encryption in transit: All data transmitted via HTTPS/TLS
  • Encryption at rest: Database hosted on TiDB Cloud with encryption at rest enabled
  • Access controls: Role-based access; admin functions require authenticated owner account
  • Session security: JWT-signed session cookies with secure, httpOnly, sameSite attributes
  • De-identification: Research survey data collected without personal identifiers per HIPAA Safe Harbor standard
  • Consent tracking: All health data collection gated by versioned, timestamped, granular consent

Record Keeping

KRUUSH will maintain records of all breach incidents, notifications sent, and remediation actions taken for a minimum of 6 years from the date of the breach, as required by the FTC Health Breach Notification Rule.

Plan Review

This plan is reviewed and updated at least annually, or whenever there is a material change to KRUUSH's data collection practices, infrastructure, or applicable law.

Contact

To report a suspected data breach or security vulnerability:

Email: [email protected]

Subject line: "Security Incident Report"

This plan is maintained in compliance with the FTC Health Breach Notification Rule (16 CFR Part 318, as amended effective July 29, 2024), the Washington My Health My Data Act (RCW 19.373), and applicable state data breach notification laws. For our general privacy practices, see our Privacy Policy. For health data practices, see our Consumer Health Data Privacy Notice.

Health Notice: KRUUSH is a wellness content platform, not a healthcare provider. The information on this page is for educational and informational purposes only and isn't a substitute for professional medical advice, diagnosis, or treatment. Always talk to your healthcare provider before making health decisions. Full terms.