What You Should Know:
– The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced an investigation into the recent cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG).
– The cybersecurity attack has significantly disrupted healthcare billing and information systems nationwide, potentially impacting patient care.
Investigation Focuses on HIPAA Compliance
The OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. These rules establish minimum standards for protecting patient privacy, securing electronic health information, and notifying individuals in case of a data breach.
The OCR’s investigation will focus on two key areas:
- Determining if a Breach Occurred: The investigation will determine if the cyberattack resulted in a breach of protected health information (PHI) held by Change Healthcare.
- Compliance with HIPAA Rules: The OCR will assess Change Healthcare’s and UHG’s compliance with the HIPAA Rules, specifically regarding data security measures and breach notification protocols.
Impact on Downstream Partners
The OCR emphasizes that healthcare providers, health plans, and business associates who partnered with Change Healthcare remain a secondary concern. However, the agency reminds them of their obligations under HIPAA, including:
- Maintaining valid business associate agreements with Change Healthcare.
- Implementing timely breach notification procedures as required by HIPAA, notifying both HHS and affected individuals if a breach is confirmed.
Growing Impact of Ransomware in Healthcare
Ransomware and hacking are the primary cyber-threats in healthcare. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.
“OCR is committed to helping health care entities understand health information regulations and to collaboratively working with entities to navigate the serious challenges we face together… We encourage all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected,” said Melanie Fontes Rainer, Director of OCR.
The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf