web analytics

Feds Say Change Healthcare Can Handle Breach Notification – Source: www.databreachtoday.com

feds-say-change-healthcare-can-handle-breach-notification-–-source:-wwwdatabreachtoday.com
Rate this post

Source: www.databreachtoday.com – Author: 1

Breach Notification
,
Healthcare
,
HIPAA/HITECH

HHS OCR Advises HIPAA-Covered Entities to Coordinate Notification Duties With UHG

Marianne Kolbasuk McGee (HealthInfoSec) •
June 3, 2024    

Feds Say Change Healthcare Can Handle Breach Notification
HHS OCR said HIPAA-covered entities can delegate to Change Healthcare the notification to millions of patients potentially affected by the company’s data breach. But entities need to ensure notification is actually done. (Image: Getty)

Tens of thousands of hospitals and medical practices can breathe a little easier now. Federal regulators have given the green light for Change Healthcare to handle the breach notification to tens of millions of individuals potentially affected by the company’s February cyberattack. But these entities are still ultimately on the hook to ensure the notification happens.

See Also: Reducing Complexity in Healthcare IT

HIPAA-regulated organizations affected by the hack will not need to notify their patients and regulators about the breach – as long as they’ve properly delegated those duties to Change Healthcare, said the U.S. Department of Health and Human Services’ Office for Civil Rights on Friday in guidance that was updated for at least the third time since it was first issued in April (see: Feds Issue Guide for Change Health Breach Reporting Duties).

But HHS OCR reiterated that under the HITECH Act, covered entities are still ultimately responsible for ensuring that such notifications occur.

So, covered entities affected by the Change Healthcare incident “should coordinate with Change Healthcare and UnitedHealth Group on who will be providing breach notifications” to ensure that all affected individuals are indeed notified,” HHS OCR said.

“All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized,” said Melanie Fontes Rainer, director of HHS OCR, in a statement. “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare.”

HHS OCR said on Friday that so far, neither Change Healthcare nor its parent company, UnitedHealth Group, has reported a breach to the agency.

Until Friday’s latest update, HHS OCR’s guidance about breach notification involving the Change Healthcare attack maintained that despite the company’s offer to handle breach notification for affected customers, covered entities affected by the attack were still required to file breach reports to HHS and to provide individual notifications to their affected patients “without unreasonable delay” upon discovery of a breach.

But in recent weeks, more than 100 healthcare industry groups, medical societies and professional associations have lobbied HHS OCR with letters and public statements calling for the agency to hold Change Healthcare and parent company UHG accountable for breach notification in the aftermath of the massive cyberattack in February (see: 100 Groups Urge Feds to Put UHG on Hook for Breach Notices).

The American Medical Association, which represents thousands of doctors; the American Hospital Association, which represents thousands of hospitals; and the College of Healthcare Information and Management Executive, or CHIME, which represents thousands of healthcare CIOs and CISOs; were among the groups pressuring HHS OCR on clarifying the breach notification and related HIPAA compliance concerns involving the Change Healthcare incident.

But while HHS OCR’s latest update guidance appears to be loosening the noose around covered entities in terms of their duties to notify their patients, the devil is in the details, some experts warn.

“We are pleased that OCR has acknowledged the impact the Change Healthcare cyberattack has had on providers and patients and that they are attempting to ease the impact of the cyberattack on our community,” said Mari Savickis, head of government relations at CHIME. “We do, however, have several questions regarding how this process will work,” she told Information Security Media Group.

For instance, “OCR has said at the end of the day the responsibility lies with the covered entity to make sure the breach can be reported,” she said. So, she asked, will Change Healthcare or UHG require a contract to be “reopened” if a provider – acting as the covered entity – has not already delegated these duties to Change?

Also, Savickis wondered how Change Healthcare will handle the process. “Will the company provide an online request form that providers can complete to make the process seamless? How will Change track all of these requests? Because many healthcare entities will undoubtedly have thousands of patients affected by the breach, she also wondered how Change would provide that information to the affected organizations.

Change Healthcare and UnitedHealth Group did not immediately respond to Information Security Media Group’s request for details on how the company will handle those and other breach notification details.

“We appreciate OCR clarifying that providers and other HIPAA-covered entities can delegate their notice obligations to Change, which reiterates our previously stated preference to ease the reporting obligations of our customers,” UHG said in a statement provided to ISMG.

Read the Fine Print

Regulatory attorney Sara Goldstein of law firm BakerHostetler said covered entities must pay close attention to breach notification in the Change Healthcare situation, even if they delegate those duties to Change Healthcare and UHG.

“If covered entities opt to delegate notifications to Change Healthcare/UHG, they need to make sure the notices comply with HIPAA,” she said.

“For example, HIPAA only permits electronic notification to patients if the covered entity has consent from patients for electronic notice and such consent has not been withdrawn,” she said.

“Most healthcare providers either do not have such consents or do not have a means of tracking if such consent have been withdrawn. Therefore, if Change Healthcare/UHG is only offering to provide electronic notice to patients on behalf of covered entities and the covered entities do not have such consents, then the covered entities may need to mail notices to individuals – as opposed to electronic notice,” she said.

“If the incident involved a Change Healthcare/ UHG customer’s PHI, the customer is ultimately responsible for the notifications – not Change Healthcare/UHG, even if the notifications are handled by the company.”

Regardless of whether Change Healthcare handles the bulk of notification duties on behalf of most affected covered entities, the incident is expected to result in a massive, record-breaking HIPAA breach notification event for the healthcare sector.

UnitedHealth Group CEO Andrew Witty told Congress last month that the breach potentially affects one-third of Americans. The U.S. Census bureau counts the U.S. population at more than 336 million (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).

UnitedHealth Group has admitted paying a $22 million ransom to BlackCat, also known as Alphv, for a decryptor key and to prevent a data leak. But within a month of the attack and ransom demand, a BlackCat affiliate who took credit for the Change Healthcare attack subsequently claimed BlackCat kept all of the ransom payment, rather than sharing the affiliate’s cut. The cybercrime group RansomHub then tried to extort UHG again, claiming to have possession of 4 terabytes of data stolen by the BlackCat affiliate in the attack (see: A Second Gang Shakes Down UnitedHealth Group for Ransom).

Original Post url: https://www.databreachtoday.com/feds-say-change-healthcare-handle-breach-notification-a-25396

Category & Tags: –

Views: 4

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos