After enduring months of uncertainty, patients affected by the massive Change Healthcare ransomware incident in February may soon receive a breach notification explaining what happened. UnitedHealth Group, Change’s parent company, had not yet notified affected individuals, nor had the hospitals and health systems (UHG customers) that had provided those patients health care.
The Change Healthcare cyberattack is the largest known to date, affecting millions of individuals and thousands of providers. The Department of Health and Human Services (HHS) and Congress are investigating the incident because of its devastating impact on the healthcare sector. UnitedHealth Group CEO Andrew Witty testified before Congress in April, answering questions about what happened and the company’s plan to repair the damage.
Confusion About Breach Notification Responsibility
In April, Change said it would send breach notifications, but it had yet to begin. Unraveling the compromised data and the individuals linked to that data is complicated and time-consuming. On April 22, the company explained that its analysis would take several months before it had enough information to notify affected customers and individuals. HIPAA requires that notifications be sent within 60 days after discovering a breach.
Change set up a website and hotline to inform the public about the breach. It is offering two years of free credit monitoring and identity theft protection for anyone affected. The company also said the data stolen likely covers a “substantial proportion of people in America.”
The hospitals and health systems that used Change’s services are all covered entities responsible for patient breach notifications. However, Change is also a covered entity because it is a healthcare clearinghouse that provides health payment processing services to healthcare providers. For weeks, there was uncertainty about who should notify patients, HHS, and the media, per the Breach Notification Rule.
On May 8, the American Hospital Association (AHA) urged UHG to take responsibility for the breach notifications, arguing that requiring hospitals to do so would confuse patients and impose unnecessary costs on providers who have already suffered greatly from the cyberattack.
HHS Answers the Question
Finally, on May 31, HHS announced that hospitals and health systems could require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack on February 22. This announcement clears up uncertainty about who is responsible for complying with the Breach Notification Rule.
From the HHS announcement:
- Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
- Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and, where applicable, the media.
- If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
The HHS’ Office for Civil Rights Director Melanie Fontes Rainer said:
“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”
Cybersecurity Needs to be Prioritized
The massive repercussions of the Change Healthcare cyber incident underscores the need for the healthcare sector to improve its cybersecurity.
HHS began calling for improvements last year due to the rise in ransomware attacks and other cyber intrusions in healthcare. In December 2023, it issued a concept paper about improving cyber resiliency and protecting patient safety. The concept paper includes cybersecurity performance goals (CPGs), voluntary cybersecurity practices that healthcare organizations can prioritize to strengthen cyber preparedness.
The Change Healthcare incident may spur even more action to enforce existing laws to protect patient privacy and strengthen the healthcare sector’s resiliency. HHS and Congress are still investigating.
The HIPAA Security Rule is a Blueprint
The easiest way to get ahead of cyber attacks is to review the HIPAA Security Rule and be sure your organization follows its guidelines.
You can use the Security Rule Checklist to validate your current policies and procedures and identify areas for improvement. If Change Healthcare had been more careful, it might not have suffered this ransomware attack. The company admitted, for example, that it wasn’t using multi-factor authentication on the compromised server.
Prevent cyber attacks with strong HIPAA compliance to maintain operations and protect patient data.