is any activity that harms or represents a serious threat to the whole or part of an organizations computer, telephone and network–based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of PHI, or a crime or natural disaster that destroys access to or control of these resources. Routine detection and remediation of a ‘virus’, ‘malware’ or similar issue that has little impact on the day–to–day business of the organization is not considered an Incident.