HHS says hospitals impacted by Change Healthcare cyberattack can delegate breach notifications to UnitedHealth Group

May 31, 2024 - 03:00 PM
oig-fda-cybersecurity

The Department of Health and Human Services May 31 announced that hospitals and health systems can require UnitedHealth Group to notify patients if their data was stolen during the Change Healthcare cyberattack Feb. 22.

"Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare," said HHS' Office for Civil Rights Director Melanie Fontes Rainer. "All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized."

“The AHA is pleased by the Office for Civil Rights’ announcement that it will permit UnitedHealth Group to make breach notifications on behalf of hospitals and health systems affected by the cyberattack on Change Healthcare,” said Chad Golder, AHA general counsel and secretary. “This is exactly what the AHA asked OCR to do in March. As we explained then, not only is there legal authority for UnitedHealth Group to make these notifications, but requiring hospitals to make their own notifications would confuse patients and impose unnecessary costs on providers, particularly when they have already suffered so greatly from this attack. Today’s decision recognizes this and is a clear example of smart, practical government action.”  

OCR posted Friday's update on its FAQ webpage, adding, "… if covered entities affected by this breach ensure that Change Healthcare performs the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, those covered entities would not have additional HIPAA breach notification obligations."

AHA and other hospital groups had urged UHG in a letter May 8 to formally issue breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen. UHG CEO Andrew Witty agreed to do so May 1 during hearings with Senate and House committees. 

Related News Articles

Headline
HHS issues cyber alert on critical vulnerability in ‘MOVEit,’ file transfer platform
The Department of Health and Human Services Health Sector Cybersecurity Coordination Center June 27 issued an alert about a critical vulnerability in MOVEit, a…
Headline
Agencies issue joint report on memory safety vulnerabilities in open source projects
A joint report released June 26 by the Cybersecurity and Infrastructure Security Agency, FBI, the Australian Cyber Security Centre and Canadian Centre for…
Headline
Bulletin alerts health sector to cyberthreat exploits on TeamViewer
The Health Information Sharing and Analysis Center June 27 issued a threat bulletin alerting the health sector to active cyberthreats exploiting TeamViewer. H-…
Headline
FBI, HHS issue advisory on cyberthreat actors targeting health care to divert payments
The FBI and Department of Health and Human Services June 24 released an advisory about cyberthreat actors targeting health care organizations in attempts to…
Headline
HHS alerts health sector to cyberthreat from Qilin ransomware group 
The Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) this week released an advisory about Qilin, formerly "Agenda…
Headline
Change Healthcare begins notifying customers with compromised patient data following cyberattack 
Change Healthcare June 20 began notifying health care providers and other customers with patient data stolen following February’s cyberattack, the company…