An article from 
Dive Brief // Change Healthcare cyberattack
The update is a win for provider groups who have urged the agency to clarify which organizations need to report a data breach and notify patients after the cyberattack.
Published June 3, 2024
This audio is auto-generated. Please let us know if you have feedback.
Dive Brief:
- The HHS said Change Healthcare can notify consumers whose health data may have been exposed after a major cyberattack on the UnitedHealth-owned technology firm earlier this year.
- The update, posted Friday by the HHS’ Office for Civil Rights, is a win for provider groups, who have urged the HHS to clarify who would be responsible for handling data breach reporting and notification requirements after the attack.
- UnitedHealth has previously offered to take on these tasks for affected providers and other customers. Change hasn’t yet filed a breach report with the HHS, but CEO Andrew Witty estimated last month a large proportion of Americans could be impacted.
Dive Insight:
Under HIPAA, covered entities and their business associates are required to notify affected individuals, the HHS and sometimes the media when unsecured protected health information is exposed.
The attack on Change, a major medical claims processor that handles billions of transactions each year, could prove a huge data breach, even at a time when large healthcare data breaches reported to the OCR are on the rise.
In early May, Witty testified before Congress that the cyberattack may have compromised the data of a third of U.S. individuals. But the company was still working to determine how many people could be affected, and it could take “several months” before enough information will be available to notify them, he said.
Provider groups have pushed for weeks to determine who would be required to handle breach reporting requirements after the cyberattack.
In March, hospital groups argued the responsibility should lie with UnitedHealth and Change, suggesting that requiring providers to send the notifications could result in duplicative letters to patients. Another group of dozens of providers sent a letter to HHS in May urging the agency to provide clarity.
“[…] Not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack,” Chad Golder, general counsel and secretary at the American Hospital Association said in a Friday statement. “Today’s decision recognizes this and is a clear example of smart, practical government action.”
UnitedHealth and Change have faced pressure from regulators and lawmakers after the attack. The OCR launched an investigation into the incident in March, and Sen. Ron Wyden last week called for the Federal Trade Commission and the Securities and Exchange Commission to look into the healthcare giant’s “negligent” cybersecurity practices.
Rebecca Pifer