Feds Launches Probe of Change Healthcare Cybersecurity Attack

What You Should Know:

– The Department of Health and Human Services’ Office for Civil Rights (OCR) has announced an investigation into the recent cyberattack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG).

– The cybersecurity attack has significantly disrupted healthcare billing and information systems nationwide, potentially impacting patient care.

Investigation Focuses on HIPAA Compliance

The OCR enforces the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. These rules establish minimum standards for protecting patient privacy, securing electronic health information, and notifying individuals in case of a data breach.

The OCR’s investigation will focus on two key areas:

Determining if a Breach Occurred: The investigation will determine if the cyberattack resulted in a breach of protected health information (PHI) held by Change Healthcare.
Compliance with HIPAA Rules: The OCR will assess Change Healthcare’s and UHG’s compliance with the HIPAA Rules, specifically regarding data security measures and breach notification protocols.

Impact on Downstream Partners

The OCR emphasizes that healthcare providers, health plans, and business associates who partnered with Change Healthcare remain a secondary concern. However, the agency reminds them of their obligations under HIPAA, including:

Maintaining valid business associate agreements with Change Healthcare.
Implementing timely breach notification procedures as required by HIPAA, notifying both HHS and affected individuals if a breach is confirmed.

Growing Impact of Ransomware in Healthcare

Ransomware and hacking are the primary cyber-threats in healthcare. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

“OCR is committed to helping health care entities understand health information regulations and to collaboratively working with entities to navigate the serious challenges we face together… We encourage all entities to review the cybersecurity measures they have in place with urgency to ensure that critically needed patient care can continue to be provided and that health information is protected,” said Melanie Fontes Rainer, Director of OCR.

The HHS Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information may be found at: https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf

First RNA editing therapy nears clinic, as Wave ask regulators to greenlight human tests

An RNA editing therapy may be headed into human testing for the first time, after Wave Life Sciences submitted an application to bring the treatment

September 6, 2023

Two New Cases of Avian Flu Spotted in California

The first two human cases of H5N1 avian influenza in California were confirmed by CDC testing of specimens submitted by the state on Thursday, and

October 8, 2024

FDA prioritizes guidance on AI, cybersecurity, pulse oximeters in stacked schedule for 2024

Listen to the article 3 min This audio is auto-generated. Please let us know if you have feedback. Dive Brief: The Food and Drug Administration

October 13, 2023

Supercharge Your Portfolio with Future Health Stocks!

Join us for Profitable Insights & Expert Tips!

With expert analysis, comprehensive market coverage, and actionable insights, our newsletter equips you with the knowledge & tools necessary to make informed decisions & maximize your potential returns in the dynamic world of future health stocks.