Bipartisan Coalition of Attorneys General Call for UHG to Take Decisive Action to Help Providers and Patients
A bipartisan coalition of 22 state attorneys general sent a letter to UnitedHealth Group CEO Andrew Witty to express their concern about the response to the February 21, 2024, ransomware attack on Change Healthcare and the continuing problems faced by providers, pharmacies, and patients.
Providers and pharmacies in their various jurisdictions have reported catastrophic disruptions due to the extended outage and limited restoration of Change Healthcare’s services, and wholly inadequate responses from Change Healthcare and its payor partners. Many providers and pharmacies have said they are in jeopardy of collapse, with patients experiencing disruption to care due to delays in receiving vital prescription medications. In some cases, patients have been denied access to medications due to providers’ inability to conduct eligibility checks.
In the weeks following the attack, the Attorneys General have received increasingly dire messages from healthcare facilities, care providers, and patients due to the prolonged disruption to Change Healthcare’s services. The outage has caused problems with prescription drug access, there are catastrophic billing and payment backlogs, and other problems stemming from the continued lack of access to Change Healthcare’s services.
“Facilities that use Change Healthcare as their backbone to track services and claims have been unable to timely complete prior authorizations, confirm benefits, document and submit claims, and in some instances have even lost access to basic care IT infrastructure,” wrote the Attorneys General. “You must do more than you are currently to avoid imposing further harm to our states’ health care infrastructure and the patients who rely upon it.”
In addition to the lack of access to Change Healthcare’s systems, it has now been confirmed that there was a considerable data breach. UnitedHealth Group issued a statement confirming that personally identifiable and protected health information was compromised and that the data breach could affect “a substantial proportion of the U.S. population.” Further, “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals.”
The Attorneys General have been contacted by care providers and non-HG facilities who said they are unable to reach Change Healthcare staff who can provide timely information about the data that has been breached, how they can get financial support that does not impose unreasonable conditions such as waiver of liability, and how they can document and submit claims during the outage. While financial assistance has been provided, for many providers that have experienced financial difficulties due to the attack, the support offered has been “paltry”. Some independent providers have been quoted relief of as little as $10 per week.
In the letter, the Attorneys General outlined some of the specific actions that they believe need to be taken to help alleviate the harm caused by the outage. Those measures include the enhancement and expansion of financial assistance to all affected providers, ensuring providers and practices owned by UHG or its subsidiaries are not being offered more advantageous financial assistance than others, providing a dedicated helpline to allow providers to resolve unanswered questions, ensuring that the claims backlog is expeditiously resolved, to issuing timely notifications to the practices and patients whose data has been compromised. The Attorneys General also asked to be provided with an independent analysis confirming that UHG’s and Change Healthcare’s systems have been secured and the vulnerabilities that contributed to the cyberattack have been addressed.
The post Bipartisan Coalition of Attorneys General Call for UHG to Take Decisive Action to Help Providers and Patients appeared first on HIPAA Journal.
HIPAA Privacy Protections for PHI related to Reproductive Health Care: The Final Rule and what Covered Entities and … – JD Supra
Managing the Impacts of the Change Healthcare Cyberattack – The National Law Review
Managing the Impacts of the Change Healthcare Cyberattack The National Law Review
ComplianceJunction HIPAA Training Receives SCCE Accreditation – HIPAA Journal
ComplianceJunction HIPAA Training Receives SCCE Accreditation
The Society of Corporate Compliance and Ethics (SCCE) has recently accredited ComplianceJunction’s ‘HIPAA Training for Organizations’ training course. The SCCE is an Eden Prairie, MN-based non-profit association dedicated to enabling the lasting success and integrity of organizations by promoting high standards in compliance and ethics programs. The SCCE, which has more than 19,000 members in over 100 countries, provides resources, education, and networking opportunities for ethics and compliance professionals and offers professional certification through the Compliance Certification Board (CCB). The CCB is an independent body that recognizes individuals with competence in the practice of compliance and ethics.
ComplianceJunction’s mission is to help healthcare organizations train their employees on HIPAA compliance and ensure they understand their responsibilities when it comes to health information privacy. ComplianceJunction has developed a training course that provides an overview of the Health Insurance Portability and Accountability Act (HIPAA) and serves as a foundation for developing a comprehensive HIPAA training program. The training has been used by more than 1,000 healthcare organizations and over 100 universities to raise awareness of the HIPAA regulations.
“ComplianceJunction’s customers include practice owners and senior managers who want to ensure that their staff members are kept up to date on the HIPAA regulations and their organization maintains compliance with the HIPAA training requirements,” explained ComplianceJunction’s Ryan Coyne. “The SCCE accreditation means their employees can now earn CEUs for completing the course, which provides an extra incentive for completing the training.” Healthcare professionals who complete the accredited HIPAA training course will earn 2.6 Continuing Education Units (CEUs) that demonstrate they are taking steps to stay up-to-date with current regulations and are continuing their education and professional development.
“The ComplianceJunction HIPAA training offers a detailed overview of HIPAA fundamentals, laying a solid foundation for developing a comprehensive training program. The modules and case studies are excellent tools to engage staff in further discussion and uncover additional role-specific training needs,” said Joanne Curran, Director of Health Information Management at the Greater Lawrence Family Health Center. “Staff appreciate the opportunity to earn CEUs for completing the training series and look forward to additional training offerings.”
The post ComplianceJunction HIPAA Training Receives SCCE Accreditation appeared first on HIPAA Journal.
Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts
Los Angeles County Department of Health Services’ employees were targeted in a recent phishing campaign, and almost 2,800 Catholic Medical Center patients have been affected by a data breach at one of its vendors.
Los Angeles County Department of Health Services Phishing Attack
The Los Angeles County Department of Health Services was recently targeted in a phishing campaign that saw 23 employees tricked into disclosing their email account credentials after clicking a hyperlink in an email that appeared to have been sent by a trusted sender. The email accounts were accessed by an unauthorized third party between February 19, 2024, and February 20, 2024.
The Department of Health Services said the attack was reported to law enforcement which recommended delaying notifying the affected individuals so as not to interfere with the investigation. Notification letters have now been mailed to the affected individuals who have been provided with information on the steps they can take in response to the breach. The types of data exposed varied from individual to individual and may have included one or more of the following: first and last name, date of birth, home address, phone number(s), e-mail address, medical record number, client identification number, dates of service, and/or medical information (e.g., diagnosis/condition, treatment, test results, medications), and/or health plan information.
The Department of Health Services has sent awareness notifications to all members of the workforce reminding them to be vigilant when opening emails, has enhanced its training regarding identifying and responding to phishing emails, and has implemented further controls to minimize the risk of further successful attacks.
The breach has been reported to the HHS Office for Civil Rights but is not yet showing on the OCR breach portal, so it is currently unclear how many individuals have been affected.
Catholic Medical Center Patients Affected by Email Breach at Business Associate
Almost 2,800 patients of Catholic Medical Center (CMC) in New Hampshire have been affected by a data breach at one of its vendors, the accounts receivable management service provider Lamont Hanley & Associates. Lamont Hanley & Associates notified CMC on March 6, 2024, that there had been unauthorized access to an employee’s email account. The breach was detected on June 20, 2023, and it was determined that patient data may have been accessed or acquired by the unauthorized third party, although no specific evidence of data access or data theft was identified.
The account contained the protected health information of 2,792 CMC patients, including names, Social Security numbers, dates of birth, medical and claim information, health insurance information, individual identification information, and financial account information. Lamont Hanley & Associates is offering complimentary credit monitoring services to eligible individuals and has taken steps to improve security to prevent similar breaches in the future.
The post Phishers Gain Access to 23 L.A. County Department of Health Services Email Accounts appeared first on HIPAA Journal.
HIPAA Update to Include Cybersecurity Requirements for Health Care Organizations – Renal and Urology News
HIPAA Update to Include Cybersecurity Requirements for Health Care Organizations Renal and Urology News
Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals
Kaiser Permanente Health Plan Inc. is notifying 13.4 million individuals that some of their personal data has been disclosed to third parties such as Microsoft (Bing), Google, and X (Twitter) via tracking technologies on its websites and apps. This is the largest healthcare data breach to be reported so far in 2024 and the largest confirmed healthcare data breach to date involving website tracking technologies.
Kaiser Permanente said the tracking technologies were identified during a voluntary internal investigation and they have now been removed from its websites and mobile applications. Additional measures have been implemented to prevent similar occurrences in the future. Notifications are being sent to all individuals who have potentially been affected “out of an abundance of caution,” including current and former health plan members in all markets that Kaiser Permanente operates, and individuals who used its websites and mobile apps. Notifications are expected to be issued in May 2024.
The types of data potentially disclosed to tech companies included names, IP addresses, sign-in statuses, and information about users navigated through the websites and apps. Other information was potentially disclosed based on individuals’ usage of the websites and apps, including search terms when using its health encyclopedia such as symptoms, drugs, injuries, and exercises. No highly sensitive information such as Social Security numbers, financial information, and usernames/passwords were disclosed. Kaiser Permanente said it is not aware of any misuse of the disclosed data; however, it is possible that individuals may have been served targeted ads based on their interactions on Kaiser Permanente’s websites and apps.
The privacy violation has been reported to the Department of Health and Human Services’ Office for Civil Rights (OCR) as a breach of the Health Insurance Portability and Accountability Act (HIPAA). In December 2022, OCR published guidance on HIPAA and tracking technologies and recently updated its guidance to clarify when these technologies can be used and how they can be made HIPAA-compliant. OCR and the Federal Trade Commission (FTC) have been cracking down on the use of these technologies and sent around 130 warning letters to hospitals and telehealth companies last year reminding them of their obligations under HIPAA and the FTC Act, and the FTC has settled 5 complaints – Easy Healthcare (Premom), GoodRx, BetterHelp, Monument, and Cerebral – that alleged violations of the FTC Act related to the use of these technologies without consumers’ consent. State attorneys general have also investigated privacy violations related to the use of tracking technologies, including the New York Attorney General, who settled alleged violations of HIPAA and state laws with New York Presbyterian Hospital over the use of these tools.
The post Kaiser Permanente Website Tracker Breach Affects 13.4 Million Individuals appeared first on HIPAA Journal.