HHS says hospitals impacted by Change Healthcare cyberattack can delegate breach notifications to UnitedHealth Group

May 31, 2024 - 03:00 PM
oig-fda-cybersecurity

The Department of Health and Human Services May 31 announced that hospitals and health systems can require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack Feb. 22.

"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," said HHS' Office for Civil Rights Director Melanie Fontes Rainer. "All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized."

“The AHA is pleased by the Office for Civil Rights’ announcement that it will permit UnitedHealth Group to make breach notifications on behalf of hospitals and health systems affected by the cyberattack on Change Healthcare,” said Chad Golder, AHA general counsel and secretary. “This is exactly what the AHA asked OCR to do in March. As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack. Today’s decision recognizes this and is a clear example of smart, practical government action.”  

OCR posted Friday's update on its FAQ webpage, adding, "… if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, those covered entities would not have additional HIPAA breach notification obligations."

AHA and other hospital groups had urged UHG in a letter May 8 to formally issue breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen. UHG CEO Andrew Witty agreed to do so May 1 during hearings with Senate and House committees. 

Related News Articles

Headline
White House issues executive order on cybersecurity for AI
The White House issued an executive order June 2 on cybersecurity efforts regarding artificial intelligence. The order instructs federal…
Headline
Guide issued for healthcare organizations on cyber governance frameworks for secure AI implementation 
The Health Sector Coordinating Council’s Cybersecurity Working Group has released a guide to help healthcare organizations establish cyber governance…
Headline
FBI issues alert on cyber actors impersonating IT personnel 
The FBI has released an alert on a cyber threat group called the Silent Ransom Group, which has targeted healthcare and other industries in recent years using…
Headline
CISA issues revised virtual town hall schedule for input on proposed cyber incident reporting
The Cybersecurity and Infrastructure Security Agency May 26 announced a revised schedule for its series of virtual town hall meetings for public input on…
Headline
Microsoft disrupts Fox Tempest malware attacking health care, other sectors 
Microsoft announced May 19 that it disrupted operations of Fox Tempest, a threat actor operating as a malware-signing-as-a-service used by cybercriminals to…
Headline
Blog highlights top 3 cyber risks for health care in 2026
An AHA Cyber & Risk Intel blog by John Riggi, AHA national advisor for cybersecurity and risk, explores what health care leaders need to consider to reduce…