DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
HHS offers a series of resources about the February 2024 Change Healthcare cyberattack.
These resources include:
1. HHS Statement Regarding the Cyberattack on Change Healthcare
2. Change Healthcare Cybersecurity Incident Frequently Asked Questions
3. HHS Office for Civil Rights (OCR) Issues Letter and Opens Investigation of Change Healthcare Cyberattack
4. Re: Cyberattack on Change Healthcare
5. CMS Statement on Continued Action to Respond to the Cyberattack on Change Healthcare
6. Letter to Health Care Leaders on Cyberattack on Change Healthcare
7. Readout of Biden-Harris Administration Convening with Health Care Community Concerning Cyberattack on Change Healthcare
Latest Update (7/30/24):
HHS has updated its FAQ regarding the Change Healthcare Cyberattack. The updated FAQ page is here.
OCR has provided a summary of recent activity with respect to Change Healthcare:
"On July 19, 2024, Change Healthcare filed a breach report with the HHS Office for Civil Rights (OCR) concerning a ransomware attack that resulted in a breach of protected health information. Change Healthcare’s breach report to OCR identifies 500 individuals as the “approximate number of individuals affected”. This is the minimum number of individuals affected that results in a posting of a breach on the HHS Breach Portal. Change Healthcare is still determining the number of individuals affected. The posting on the HHS Breach Portal will be amended if Change Healthcare updates the total number of individuals affected by this breach. HIPAA breach reports filed on the HHS Breach Portal may be amended as the breach report form allows a filer to file an initial breach report or an addendum to a previous report."
OCR has updated the answer to question #3 on OCR’s “Change Healthcare Cybersecurity Incident Frequently Asked Questions” webpage to address this issue. OCR will continue to update the FAQs as needed."
Latest Update (7/2/24):
Change Healthcare provided notice to the media of the cyberattack on June 20, 2024. That notice is published on Change Healthcare’s website: https://www.changehealthcare.com/hipaa-substitute-notice.
Change Healthcare states that it is in the late stages of its investigation, and that it began mailing notice to certain customers whose members’ or patients’ data was involved in the incident, on June 20, 2024. Change Healthcare plans to mail written letters at the conclusion of its data review to affected individuals that it has an address for. This mailing process is expected to begin in late July. Change Healthcare has established a dedicated call center to offer additional resources and information to people who believe they may have been affected by this incident. Individuals can visit changecybersupport.com for more information and details on these resources or call the toll-free call center, which also includes trained clinicians to provide support services. The call center’s number is: 1-866-262-5342, available Monday through Friday, 8 a.m. to 8 p.m. CT.
Change Healthcare maintains a running list of breach-related updates on this website: https://www.unitedhealthgroup.com/ns/changehealthcare.html
Update on Who Must Notify Patients (5/22/24)
Source: https://healthexec.com/topics/health-it/cybersecurity/100-groups-ask-ocr-clarification-hipaa-requirements-after-change-healthcare-hack
More than 100 healthcare associations have sent a letter to the Department of Health and Human Services Office of Civil Rights (OCR) requesting clarification on reporting responsibilities related to the Change Healthcare hack. Specifically, the groups want assurance the burden for notifying patients won’t fall on providers.
The letter, dated May 20, is signed by a number of medical associations and physicians groups, including the American Medical Association.
While Change Healthcare’s parent company UnitedHealth Group agreed during a Senate hearing to make notifications after they’ve completed their investigation, the signers want confirmation from the OCR that they will instruct UnitedHealth to follow through.
“Given UnitedHealth Group’s statement that it is prepared to fulfill these reporting and notification requirements, it appears that it would be a quick and straightforward matter for OCR to confirm publicly that the HIPAA breach notification and reporting requirements are applicable to UnitedHealth Group and not to the affected providers,” they wrote.
The medical associations added that “clinicians and providers have not received sufficient confirmation from OCR that HIPAA breach reporting and notification requirements” are in actuality UnitedHealth’s responsibility. The undersigned do not want to providers blindsided by having to send out data breach notifications, as Change Healthcare was ultimately “the HIPAA covered entity which experienced the breach of unsecured PHI.”
Despite the statement from UnitedHealth, HIPAA requirements still say the burden of notifying patients about their data being exposed to hackers falls on providers. However, given the unique magnitude of this breach—which impacted more than a third of all Americans but came from a single source—existing regulation on how to proceed is unclear.
The groups reminded the OCR that the Change breach has caused “chaos in the provider community” through no fault of their own and called the “silence on this point is disappointing.” They added that while they appreciate UnitedHealth taking responsibility, the insurer also has yet to release a plan or timetable for when it will send out the required notifications, leaving providers in limbo.
At the end of the letter, they told the OCR that the “chief responsibility” of provider groups is patient care, not administrative burdens.
The extent of the February data breach on Change Healthcare is still not clear. UnitedHealth previously said it will take months to learn exactly how many people were impacted.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article