AHA, other hospital groups urge UHG to formalize breach notification plans following Change Healthcare cyberattack 

May 08, 2024 - 04:01 PM
cybersecurity

The AHA and other national hospital groups May 8 sent a letter to UnitedHealth Group, urging the organization to formally accept responsibility for issuing breach notifications on behalf of providers or customers following cyberattacks if protected health information or personally identifiable information is stolen. UHG CEO Andrew Witty agreed to do so May 1 during hearings with Senate and House committees but has yet to notify the Department of Health and Human Services’ Office for Civil Rights of this plan. 

The letter refers to an April 19 OCR statement in which the agency said, "...with respect to a breach at or by a business associate, while the covered entity is ultimately responsible for ensuring individuals are notified, the covered entity may delegate the responsibility of providing individual notices to the business associate." The letter urges UHG to formally accept this delegation, and notify OCR, state regulators, Congress, media and other stakeholders. 

CMS will accept comments on the proposed rule through July 8. AHA members will receive an advisory with further details on the rule.

Related News Articles

Headline
CISA releases guidance following reported legacy Oracle cloud breach
The Cybersecurity and Infrastructure Security Agency April 17 released guidance to reduce risks associated with a reported breach of Oracle cloud services.…
Headline
Agencies issue guidance on navigating deceptive online recruitment of current and former federal employees
The National Counterintelligence and Security Center, the FBI, and the Defense Counterintelligence and Security Center yesterday released guidance on…
AHA Cyber Intel
[Updated] 3 Must-know Cyber and Risk Realities: What’s Ahead for Health Care in 2025
While the rate of cyberattacks on hospitals has risen dramatically, the severity of the impacts has also grown exponentially. Let’s look at the state of cyber…
Headline
House subcommittee holds hearing on cybersecurity vulnerabilities in legacy medical devices
The House Energy and Commerce Oversight and Investigations Subcommittee April 1 discussed cybersecurity threats in legacy medical devices during a hearing. The…
Headline
Administration extends national emergency for cyber threats
The Trump Administration March 28 announced that it renewed for one year the public emergency for ongoing malicious cyber-enabled activities against the U.S.…
Headline
FBI says no specific, credible threat targeting U.S. hospitals
The FBI March 26 advised that, after extensive investigation and intelligence review, they have not identified any specific credible threat targeted against…