CHIME is requesting clarity on the process for sharing names of the individuals affected by the Change Healthcare/UHG data breach, the timeline for this process, and the assurances that the breach has been reported to the Office for Civil Rights (OCR).
While OCR has addressed some questions on its FAQ page regarding the federal HIPAA Breach Notification Rule, there are also state laws governing breach reporting. CHIME is seeking guidance on these state-level requirements and whether OCR and Change Healthcare/UHG are coordinating with state officials to ensure compliance with these laws.
Some clinicians and providers have expressed concerns that their patients’ protected health information has appeared on the dark web, despite having no current or recent contractual relationship with Change Healthcare/UHG. CHIME has queried how OCR will handle these situations.
The Scale and Complexity of the Breach
A data breach of this magnitude, potentially affecting 1 in 3 Americans, poses significant challenges. Many patients may have multiple payers, leading to the possibility of receiving multiple breach notification letters. This situation could cause undue stress and anxiety. CHIME has asked OCR to clarify the notification process to ensure individuals receive only one notification.
Request for Immediate Action and Meeting
CHIME has requested prompt answers from OCR and a meeting with OCR Director Melanie Fontes Rainer to discuss these concerns.
Change Healthcare Starts Notifying Affected Entities
Change Healthcare has begun notifying the entities affected by the February ransomware attack. Over 90% of the files have been reviewed, but it is still not possible to confirm precisely what data has been compromised. The breached information may include names, addresses, birth dates, diagnostic images, payment information, Social Security numbers, passport numbers, state ID numbers, and health insurance information. Medical charts and medical histories do not appear to have been stolen.
The HIPAA Breach Notification Rule mandates covered entities to issue individual notifications without undue delay and no later than 60 days from the discovery of a data breach. OCR has confirmed that covered entities have up to 60 days to issue breach notification letters from the date they receive notification from their business associate. They can delegate this responsibility to the business associate but are ultimately responsible for ensuring notifications are sent.
Change Healthcare anticipates mailing individual notification letters by the end of July for all affected covered entities that have asked for their assistance. The investigation and file review are ongoing, and more individuals may be identified as affected as the investigation progresses.
Senators Urge UHG to Issue Notifications
Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) have urged UnitedHealth Group (UHG) CEO Andrew Witty to take responsibility for issuing notifications about the ransomware attack and to promptly inform the affected individuals.
OCR recently updated its FAQ to confirm that UHG/Change Healthcare can legally send individual notifications on behalf of the affected entities. However, it is ultimately the responsibility of each affected entity to ensure those notifications are sent.
Immediate Notifications and Compliance
Senators have expressed that UHG/Change Healthcare is already in violation of the HIPAA Breach Notification Rule, as it has been more than three months since the discovery of the ransomware attack and notifications have not yet been issued. The senators have demanded a plan for issuing notifications and ensuring they are sent no later than June 21, 2024.
OCR Clarifies Breach Notification Responsibilities
OCR has updated its FAQs to clarify that Change Healthcare can legally issue breach notifications on behalf of all affected covered entities. While Change Healthcare’s parent company, UHG, has publicly stated its willingness to assist with notifications, some provider groups were confused about the process. OCR confirmed that Change Healthcare can issue notifications for all affected clients if they are asked to do so.
Industry Praise for OCR’s Clarity
Several industry groups have praised OCR for providing clarity and confirming that UHG/Change Healthcare can handle breach notifications. The FAQs also state that if Change Healthcare fails to issue the notifications, the burden will fall on the affected entities.
Senator Calls for Accountability
Senator Ron Wyden (D-OR) has called for the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) to hold UHG executives accountable for the ransomware attack, citing negligent cybersecurity practices. Wyden emphasized that the failure to implement multi-factor authentication (MFA) was a significant oversight that contributed to the breach.
Provider Groups Seek Further Clarification
Over 100 provider groups, including CHIME, AHIMA, and AMA, have written to HHS seeking clarification on HIPAA breach reporting requirements in relation to the Change Healthcare ransomware attack. They want assurance that UHG/Change Healthcare will handle all reporting and notification requirements.
UnitedHealth Group’s Testimony
At a House subcommittee hearing, UHG CEO Andrew Witty apologized for the attack and confirmed the scale of the breach, affecting potentially one-third of Americans. Witty stated that MFA was not implemented on a Citrix portal, which allowed the breach. He committed to improving security measures.
Impact and Financial Assistance
UnitedHealth Group has spent significant amounts on the response and has provided financial assistance to affected providers. Despite the disruptions, core systems are being restored, and efforts continue to recover from the attack.
Source: hipaajournal.com
