OCR Clarifies Issues Associated With the Change Healthcare Cyberattack

The American Hospital Association (AHA) sent a letter to the Department of Health and Human Services asking for clarification regarding data breach notices in case it ends up that protected health information (PHI) was compromised. OCR reported that because of the effect of the Change Healthcare ransomware attack, Change Healthcare was promptly investigated to determine if it was HIPAA compliant. OCR Director Melanie Fontes Rainer mentioned in a “Dear Colleague” letter that while OCR is not prioritizing inspections of healthcare providers, business associates, and health plans that were linked to or affected by this attack, it is reminding organizations that have Change Healthcare and UHG as partners about their regulatory responsibilities, which include making sure that business associate agreements signed and that prompt breach notifications are sent to HHS and impacted persons as mandated by the HIPAA Regulations.

The AHA showed concern regarding Fontes Rainer’s report and wants clarity about the entities that should send notifications. The AHA stated in the letter that a covered entity like Change Healthcare is responsible for alerting OCR and the impacted people concerning a data breach, including in instances where Change Healthcare serves as a business associate. AHA’s question is about OCR’s requirement of the hospitals to send breach notices to HHS and impacted individuals, in case it is eventually confirmed that a breach happened. The AHA wants to clarify if hospitals and other organizations still need to send additional notifications when UnitedHealth Group and Change Healthcare already sent a notification. If that is so, it will confuse patients and entail unwanted expenses on hospitals on top of the suffering brought about by this attack.

After reading OCR’s letter, members of the Washington State Hospital Association (WSHA) have also expressed concern regarding the breach notification requirements. With regards to the business associate agreement and notification alerts mentioned in the letter, WSHA stated that OCR’s letter reminds hospitals they may get on top of this concern by going over how the different sets of responsibilities on their part and the part of Change Healthcare included in the BAAs they signed. For instance, these responsibilities include prompt breach notification and who gives the notification, indemnification, and insurance prerequisites.

Patients Report Fraudulent Calls After the Cyberattack on Change Healthcare

The Minnesota Hospital Association and Minnesota Attorney General have given alerts because scammers seem to be attacking patients impacted by the Change Healthcare ransomware attack. Individuals have said receiving phone calls from people professing to be staff from hospitals, pharmacies, and clinics who are providing refunds or requiring payment. Although these phone calls may suggest that information stolen during the attack is already being abused, it may only be opportunists exploiting the situation. Lou Ann Olson of the MHA advised all people to be cautious and be suspicious of scams. She told patients to speak to their healthcare company directly when they get a phone call, text, or email message associated with the Change Healthcare cyberattack.

Change Healthcare’s Recovery is Quite Slow

Cybersecurity specialists have criticized Change Healthcare because of its reaction to the cyberattack, which has prompted breakdowns lasting over 4 weeks. Though about 20 company services have already started again, over 100 remain offline. Although it’s not uncommon for a ransomware attack recovery to last a few weeks, the effect on healthcare companies is far-reaching because they use Change Healthcare’s systems a lot. Therefore, Change Healthcare must know about this and be ready to minimize the disruption.

It is a big concern that an organization that delivers such a crucial service took such a long time to recover its IT systems. In addition, it seems that the company had no backup plan that could be immediately put in place, as stated by Emsisoft threat analyst, Brett Callow. Other cybersecurity specialists have asked if proper backups were set up and if the incident response plan available was appropriately tested.

UnitedHealth Gives $2.5B Financial Support and Begins Working on $14M Claims Backlog

UnitedHealth Group has affirmed that it has set aside over $2.5 billion for healthcare companies impacted by the breakdowns at Change Healthcare. There will be software available for managing claims. The incident has affected providers at various levels; for that reason, temporary funding support is provided for free. Many companies, in particular smaller clinics, are having difficulties. Those who require additional help can gain access to these resources.

UHG additionally stated on March 22, 2024 that its largest clearinghouses will be back on the web on the following weekend. The backlog of over $14 billion in claims will begin to be processed afterward.