Groups Ask HHS for Guidance on Massive Change Breach Reports – Source: www.databreachtoday.com

Breach Notification
,
HIPAA/HITECH
,
Security Operations

Industry Associations Want Feds to Put Regulatory Onus on Change Healthcare

Marianne Kolbasuk McGee (HealthInfoSec) •
July 1, 2024    

Two weeks ago, Change Healthcare began notifying thousands of medical practices about a massive data breach affecting millions of patients. The healthcare software firm says it will handle breach notifications, but industry groups want to guarantee the government will go along with that plan.

See Also: Cyber Insurance Assessment Readiness Checklist

If not, the groups fear that small medical practices, hospitals and other providers will be saddled with major costs and a drain on resources – after many already suffered financial woes from the cyberattack and subsequent outage in February that disrupted services and billing for months.

The College of Healthcare Information Management Executives, the American Medical Association and three other large industry groups in a June 26 letter are again calling on Department of Health and Human Services’ Office for Civil Rights for further guidance to clearly detail breach notification responsibilities of HIPAA-regulated entities in the context of the Change Healthcare incident.

“Given the complicated nature of this situation, our members have several outstanding questions and seek immediate guidance and resolution from your office,” the group wrote to HHS OCR Director Melanie Fontes Rainer. “It is essential that OCR promptly outlines and communicates the ‘when, what, why, and how’ in this situation, ensuring that the accountable party can act without delay.”

CHIME – which represents thousands of healthcare CIOs and CISOs – and the AMA – which represents tens of thousands of physicians – want HHS OCR confirmation that if entities delegate their breach notification duties to Change Healthcare, “the notification obligations will rest with Change Healthcare/UHG, with covered entities responding to reasonable requests to provide Change Healthcare/UHG with any needed information to the extent feasible.”

“Anything less will fall short of the mark in providing clarity and reducing the overwhelming burden already experienced by affected clinicians and providers,” says the letter, which was also signed by the American Academy of Family Physicians, the American College of Physicians and the Medical Group Management Association.

In a statement posted to its website for two months, Change Healthcare told clients “this type of delegation is an industry standard practice.” The company offered to notify HHS and state regulators and to draft and send notice letters to individual patients to “reduce burdens on impacted customers.”

Dozens of other healthcare industry groups asked HHS OCR in May for the agency to deem Change Healthcare responsible for breach notification duties (see 100 Groups Urge Feds to Put UHG on Hook for Breach Notices).

HHS OCR responded to the groups and on May 31 released updated guidance, which was initially issued in April, regarding the Change Healthcare incident (see: Feds Say Change Healthcare Can Handle Breach Notification).

The updated guidance, in the form of frequently asked questions, said HIPAA-covered entities may indeed delegate breach notification to Change Healthcare and its parent, UnitedHealth Group, related to the incident, including notification of affected individuals, HHS and the media.

But HHS OCR in that updated material reiterated what the agency said in its April guidance – that under the HITECH Act, covered entities are still ultimately responsible for ensuring that such notifications occur (see: Feds Issue Guide for Change Health Breach Reporting Duties).

In their latest letter, CHIME, AMA and the three other groups ask HHS OCR to further drill down on an array of other difficult issues and details regarding notification.

“Will there be a formal process created by Change Healthcare/UHG or HHS that covered entities can complete to delegate the breach reporting responsibility to Change Healthcare/UHG to make this as seamless as possible – for example, an online submission form?” the letter asks.

“If delegation may not be accomplished via an online portal hosted by Change Healthcare/UHG, what are the expected and specific actions that need to be taken by covered entities who are in business associate relationship with Change Healthcare/UHG and who wish to delegate breach notifications to Change Healthcare/UHG?

“We request that OCR provide a clear statement that CEs who are not in a BA relationship with Change Healthcare/UHG are under no breach notification obligation regarding the Change Healthcare/UHG data breach,” the letter says.

HHS OCR did not immediately respond to Information Security Media Group’s request for comment.

UnitedHealth Group CEO Andrew Witty told Congress in May that the Change Healthcare breach potentially affects one-third of Americans. The U.S. Census Bureau says the U.S. population in more than 336 million (see: Lawmakers Grill UnitedHealth CEO on Change Healthcare Attack).

The company said it likely will take until late July to begin notifying individuals affected by the incident. The Change Healthcare attack, discovered on Feb. 21, disrupted claims processing and other critical business processes for tens of thousands of healthcare providers for weeks (see: Change Healthcare Begins to Notify Clients Affected by Hack).

UnitedHealth Group has admitted it paid a $22 million ransom to BlackCat, also known as Alphv, for a decryptor key and to prevent a data leak. But within a month of the attack and ransom demand, a BlackCat affiliate who took credit for the Change Healthcare attack subsequently claimed BlackCat kept all of the ransom payment, rather than sharing the affiliate’s cut.

The cybercrime group RansomHub then tried to extort UHG again, claiming to have 4 terabytes of data stolen by the BlackCat affiliate in the attack (see: A Second Gang Shakes Down UnitedHealth Group for Ransom).