The HHS has gone on to say that Change Healthcare can go ahead and notify consumers whose health data may have been exposed post-a major cyberattack that took place at the UnitedHealth-owned tech firm early in 2024.
The update that was posted on May 31 by the Office for Civil Rights by the HHS is indeed a win when it comes to provider groups, who have gone on to urge the HHS to go ahead and clarify who is going to be responsible when it comes to handling the data breach reporting as well as notification requirements post-attack.
It is well to be noted that UnitedHealth had previously gone on to offer to take up these tasks for the providers as well as the customers who were affected. Interestingly, Change has not filed a breach report as yet with the HHS, but as per its CEO, Andrew Witty, a large proportion of Americans may have been impacted by it as well.
The fact is that under the gamut of HIPAA, the covered entities as well as their business associates are needed to ensure to notify the affected individuals, the HHS, as well as at times the media when in case unsecured protected health information gets exposed. The attack on Change, which happens to be a major medical claims processor that takes care of billions of transactions per year, can prove to be a massive data breach, even in a time when the large healthcare data breaches that are reported to the OCR happen to be on the rise.
Apparently, in early May 2024, Witty went on to testify before Congress that this cyberattack may as well have compromised the data of almost a third of US individuals. However, the company was still working on determining how many individuals could get affected because of it, and the fact remains that it could take many months before the required information is going to be available to notify each one of them.
The provider groups have pushed for weeks so as to determine who would be needed to handle the breach reporting needs post-the cyberattack. In March 2024, hospital groups went on to argue that the onus should as well lie on the UnitedHealth as well as Change, thereby suggesting that providers sending off the notifications may as well lead to duplication of letters to the patients.
There was another group of dozens of providers sent a letter to the HHS in May 2024, thereby asking the agency to provide some kind of clarity. The fact is that not only is there legal authority for the UnitedHealth Group to give these notifications, but needing the hospitals to give out their own notifications may as well lead to confusing the patients and hence impose an unnecessary cost when it comes to the providers, especially when they have already gone on to suffer so greatly due to this attack, said the general counsel as well as the secretary at the American Hospital Association- AHA, Chad Golder. The decision that is now taken goes on to acknowledge this and happens to be a clear example smart as well as practical government action.
Change as well as UnitedHealth have gone on to face immense pressure from the regulators along with the lawmakers post-the cyberattack. The OCR went ahead and launched an investigation into the incident in March 2024, and one of the senators called for the Federal Trade Commission and Securities and Exchange Commission to delve deep into the negligent cybersecurity practices of this US healthcare giant.