CHIME and several healthcare provider associations have written to the Office for Civil Rights (OCR) Director, Melanie Fontes Rainer, seeking greater clarity and guidance for clinicians and providers about the reporting responsibilities for the Change Healthcare data breach.

The HHS responded promptly to CHIME’s previous letter and confirmed certain requirements regarding the breach response, most importantly, that the affected covered entities may delegate responsibility for issuing notifications to Change Healthcare. OCR stated that if the affected covered entities coordinated with Change Healthcare, they would not have additional HIPAA breach notification obligations; however, they must ensure that Change Healthcare fulfills its obligations.

CHIME is seeking clarification on the responsibility of the affected covered entities regarding the delegation of notifications and ensuring Change Healthcare fulfills its obligations and what that actually means. “We request confirmation that upon completing the delegation, the notification obligations will rest with Change Healthcare/UHG, with [covered entities] responding to reasonable requests to provide Change Healthcare/UHG with any needed information to the extent feasible,” wrote CHIME. “Anything less will fall short of the mark in providing clarity and reducing the overwhelming burden already experienced by affected clinicians and provider.”

CHIME has also asked whether there is a formal process for delegating responsibility to Change Healthcare, and if there is no online form to complete, what are the expected and specific actions that should be taken by covered entities who are in a business associate relationship with Change Healthcare/UHG that wish to delegate responsibility. Guidance has also been requested for downstream subcontractors of a business associate of Change Healthcare, and whether the covered entity must delegate the notification requirements to their business associate, who will in turn need to delegate the responsibility to Change Healthcare/UHG.

CHIME is also seeking clarity on the process for sharing names of the affected individuals when that process is expected to occur, and what assurance Change Healthcare/UHG will give to clinicians and providers that the breach has been reported to OCR for their patients.

OCR has provided answers to some questions on its FAQ page, but they only relate to the notification requirements of the federal HIPAA Breach Notification Rule. There are also breach reporting requirements under state laws. CHIME is seeking advice about those reporting requirements, and whether OCR and Change Healthcare/UHG are coordinating with state officials and if OCR is anticipating working with state officials and Change Healthcare/UHG to ensure Change Healthcare/UHG’s compliance with state laws.

Some clinicians and providers have expressed concern that some of their patients’ protected health information has been found on the dark web, but they do not currently have any contractual relationship with Change Healthcare/UHG and have not had a contractual relationship for years. CHIME has asked how OCR will handle these situations.

One of the problems with a data breach of this magnitude, which may have affected 1 in 3 Americans, is there will be many affected patients who have more than one payer. That could mean that those individuals may receive multiple breach notification letters, one from each affected payer. Such a situation could create undue stress and anxiety for those patients. CHIME has asked OCR to explain the process for notification to ensure that those individuals only receive one notification.

CHIME has requested answers from OCR as soon as possible as well as a meeting with Fontes Rainer to discuss these concerns.

June 21, 2024: Change Healthcare Starts Notifying Entities Affected by February Ransomware Attack

Change Healthcare has provided an update on the progress made in reviewing the files potentially stolen in its February ransomware attack and has confirmed that the healthcare providers, insurers, and other entities affected have started to be notified. More than 90% of the affected files have been reviewed although it is still not yet possible to confirm precisely what data has been compromised for each affected covered entity. The compromised information may include names, addresses, birth dates, diagnostic images, payment information, Social Security numbers, passport numbers, state ID numbers, and health insurance information. Medical charts and medical histories do not appear to have been stolen.

The HIPAA Breach Notification Rule requires covered entities to issue individual notifications without undue delay and no later than 60 days from the discovery of a data breach. OCR has confirmed that when a data breach occurs at a business associate, covered entities have up to 60 days to issue breach notification letters from the date they receive notification from their business associate. They can delegate responsibility for issuing notifications to the business associate, but they are ultimately responsible for ensuring that notifications are sent.

OCR has confirmed that Change Healthcare may send notifications on behalf of the affected covered entities and United Healthcare Group has publicly stated that it will help the affected covered entities with the administrative and notification requirements.  Each affected covered entity must coordinate with Change Healthcare regarding the sending of individual notifications.

Change Healthcare said it anticipates mailing individual notification letters at the end of July for all affected covered entities that have asked Change Healthcare to issue notifications on their behalf, although up-to-date contact information may not be held for all of those individuals. The investigation into the breach and file review is ongoing, and Change Healthcare said it may identify further individuals who have been affected as the investigation progresses.

“The media notice and substitute notification posted [Thursday, June 20, 2024] is the next step in the process and consistent with the ongoing communication we have been providing regarding this cyberattack against Change Healthcare and the U.S. healthcare system,” explained Change Healthcare. “While the data review is in its late stages, we continue to provide credit monitoring and identity theft protection to people concerned about their data potentially being impacted.”

June 11, 2024: Senators Urge UHG to Issue Notifications About Change Healthcare Ransomware Attack Before June 21

On June 7, 2024, Senators Maggie Hassan (D-NH) and Marsha Blackburn (R-TN) wrote to UnitedHealth Group CEO Andrew Witty urging him to take responsibility for issuing notifications about the February 21, 2024, ransomware attack on Change Healthcare and to promptly issue notifications to the affected individuals.

The Office for Civil Rights (OCR) recently updated its website FAQ to clear up confusion about breach notifications (see below) and confirmed that UHG/Change Healthcare can legally send individual notifications on behalf of the affected covered entities; however, also confirmed that it is ultimately the responsibility of each affected covered entity to ensure that those notifications are sent.

Prior to the publication of the OCR FAQ, UHG offered to issue notifications and undertake the related administrative requirements for the affected covered entities; but has not publicly confirmed that it is taking sole responsibility for issuing the notifications, nor has UHG formally notified the affected covered entities about the breach.

To clear up any remaining confusion, the senators have called for UHG to formally confirm that it will be handling all of the breach notification requirements, including issuing individual notifications and notifying the media, state attorneys general, and OCR.

At the House Committee hearing on May 1, 2024, Witty confirmed that protected health information had been exposed, and while the scale of the breach was not known, said it could affect up to 1 in 3 Americans. The ransomware group publicly confirmed that patient data had been stolen well before that date.

The senators claim that UHG/Change Healthcare is already in violation of the HIPAA Breach Notification Rule as it has been more than 3 months since the discovery of the ransomware attack and notifications have still not been issued.  The HIPAA Breach Notification Rule requires notifications to be issued without undue delay and no later than 60 days from the discovery of the breach.

The senators have called for Witty to immediately send them the plan for issuing notifications and to ensure that notifications are sent no later than June 21, 2024. Until notifications are issued, the affected individuals remain in the dark about the vulnerability of their personal data and health information.

June 3, 2024: OCR Confirms Change Healthcare Can Issue Breach Notifications for Ransomware Attack

The HHS’ Office for Civil Rights (OCR) has updated its Change Healthcare Cyberattack Frequently Asked Questions (FAQs) to provide greater clarity about the breach reporting requirements for the Change Healthcare ransomware attack. OCR has confirmed that Change Healthcare can legally issue breach notifications on behalf of all affected covered entities.

OCR initially said that ultimately it is the responsibility of each covered entity to issue breach notification letters when there is a breach of unsecured protected health information at a business associate and that a covered entity may delegate breach notifications to the business associate. Change Healthcare is a healthcare clearinghouse, a type of HIPAA-covered entity, but it is a business associate of the covered entities that use its services. While Change Healthcare’s parent company, UnitedHealth Group (UHG), publicly confirmed that it was willing to help its customers by handling the reporting requirements, many Change Healthcare clients were confused about whether UHG would handle the breach notifications. Several provider groups wrote to OCR (see below) asking for UCR to clear up the confusion and confirm that UHG/Change Healthcare would handle all breach notifications.

On May 31, 2024, OCR reiterated that the Change Healthcare ransomware attack resulted in the exposure of electronic protected health information, therefore under HIPAA, individual notifications must be issued to the affected individuals. OCR explained in the updated FAQs that if a covered entity affected by the breach wants UHG/Change Healthcare to issue notifications, then they must contact Change Healthcare to discuss the matter. As far as OCR is concerned, it is acceptable for Change Healthcare to issue notifications for all affected clients.

“Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare,” said OCR Director Melanie Fontes Rainer. “All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.” Several industry groups have praised OCR for clearing up the confusion and confirming that UHG/Change Healthcare can issue notifications. The FAQs also state that if the affected covered entities delegate the notification requirements to change Healthcare or UHG and those notifications are not issued, then the burden of issuing notifications will fall on the affected covered entities.

Regarding the timescale for issuing notifications, the HIPAA Breach Notification Rule requires notifications to be issued within 60 days of the discovery of a breach. The Change Healthcare ransomware attack was discovered on February 21, 2024, so breach notifications are now due. While many covered entities and business associates have issued notifications within 60 days of the discovery of a cyberattack, it is increasingly common for breached entities to take the date of discovery as either the date that it was confirmed that protected health information was breached, or the date of the completion of the document review, when the exact types of information involved and the total number of affected individuals has been established. In such cases, notifications are issued months after the attack was first identified.

UHG said that up to 1 in 3 Americans could have been affected by the attack but UHG has not confirmed the actual number of individuals affected nor the types of information involved. No time frame has been provided on when those processes will be completed. According to the OCR FAQ, “OCR will not consider the 60-calendar day period from discovery of a breach by a covered entity to start until affected covered entities have received the information needed from Change Healthcare or UHG.”

May 31, 2024: Senator Calls for FTC and SEC to Hold UHG Executives Accountable for Change Healthcare Ransomware Attack

Senator Ron Wyden (D-OR) has written to the Chairs of the Federal Trade Commission (FTC) and Securities and Exchange Commission (SEC) calling for UnitedHealth Group (UHG) executives to be held accountable for the ransomware attack that caused massive disruption and huge financial difficulties for providers across the country.

As UHG CEO Andrew Witty explained in a recent hearing before the House Energy and Commerce Committee, a ransomware actor gained access to the internal network via a server that did not have multi-factor authentication (MFA), rendering it vulnerable to brute force attacks and compromised credentials, which is how a ransomware affiliate breached its network.

For a company that processed the data of 1 in 3 Americans and was used by so many providers across the country, security should have been exceptional; however, breaching the network was straightforward for the ransomware group. As Sen. Wyden explained in the letter, MFA is a basic security measure and one that a company as large as UHG should have comprehensively implemented.

At the hearing, Witty explained that UHG has a policy requiring MFA to be implemented on all external-facing systems; but in some cases, such as when servers were running older technologies that have been updated, MFA may have been skipped due to compensatory controls being in place. Sen. Wyden said that the board should have been aware that in those cases, skipping MFA was a bad idea.

The failure to comprehensively implement MFA amounts to negligent cybersecurity practices according to Sen. Wyden. If MFA had been in place, the cyberattack and data breach could have been prevented, patients would not have been harmed, and providers’ financial problems would have been avoided.

Patients were prevented from obtaining their medications and had difficulty getting the care they needed as many providers had to restrict hours or even close. Further, the harm is likely to continue as patient data is now in the hands of cybercriminals and can be used for identity theft and fraud. The personal and health information of military personnel was also stolen in the attack, and that information could be obtained by adversaries such as Russia and China, causing serious harm to U.S. national security.

Sen. Wyden believes that the attack was the direct result of corporate negligence and the executives should be accountable for the lapses in security, including CEO Witty and the board of directors. In the letter, Sen. Wyden called for FTC Chair Lina S. Khan and SEC Chair Gary Gensler to investigate UHG over its negligent cybersecurity practices

The FTC has already taken action against companies for failing to implement MFA. In cases against the alcohol delivery platform Drizly and the education tech firm Chegg, the lack of MFA was deemed to be an unfair business practice that violated the FTC Act, and the companies were ordered to implement the most secure form of MFA, phishing-resistant MFA.

Sen. Wyden also called for UHG to be investigated over its lack of preparedness for ransomware attacks. A plan should have been developed to allow the rapid recovery of its systems in the event of a ransomware attack; however, instead of taking hours or days, the recovery took several weeks.

Sen. Wyden also suggested that the failure of UHG to implement industry-standard cybersecurity defenses was due to a lack of experience on the board. For instance, the Chief Information Security Officer (CISO) at UHG was appointed in June 2023 after holding other positions in UHG and Change Healthcare, yet he had never held any similar cybersecurity position elsewhere. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job,” said Sen. Wyden.

He also stressed that the CISO should not be scapegoated due to his lack of experience, and instead, the board of directors should be held responsible for giving the job to someone who clearly did not have the necessary experience.

Sen. Wyden called for the SEC to investigate UHG to determine if any laws under its jurisdiction have been broken and to hold senior officials accountable. A precedent was set last year at the SEC for holding executives accountable for cybersecurity failures when the SEC held that the Chief Technology Officer at SolarWinds was accountable for lax cybersecurity that was exploited in the SolarWinds cyberattack.

May 22, 2024: Provider Groups Request Clarification from HHS on Change Healthcare Data Breach Reporting Requirements

More than 100 provider groups, including the College of Healthcare Information Management Executives (CHIME), American Health Information Management Association (AHIMA), and American Medical Association (AMA), have written to HHS Secretary Xavier Becerra and OCR Director Melanie Fontes Rainer seeking clarification on the HIPAA breach reporting requirements with respect to the Change Healthcare ransomware attack and how those requirements will be enforced.

On March 13, 2024, OCR explained in a Dear Colleague letter that an investigation had been initiated into the Change Healthcare cyberattack to assess United Health Group’s (UHG) and Change Healthcare’s compliance with the HIPAA Rules. OCR explained in the letter that UHG and Change Healthcare are the primary focus of the investigation, and that OCR’s interest in other entities that have partnered with Change Healthcare and UHG is secondary.

“While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules,” wrote OCR in the letter.

In a recently published FAQ on the HHS website, OCR explained that when there is a breach of protected health information (PHI) at a business associate, it is ultimately the responsibility of the covered entity to notify the affected individuals about the breach although the covered entity may delegate that responsibility to the business associate. OCR also said that if there is any doubt regarding how breach notifications will be handled, the affected providers should contact UHG and Change Healthcare.

UHG issued a statement confirming they “are committed to doing everything possible to help and provide support to anyone who may need it,” and that “to help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.”

The provider groups want OCR to clear up confusion for providers and have requested that OCR explain how it intends to enforce the HIPAA reporting requirements with respect to the Change Healthcare data breach. They want to be able to reassure their members that UHG/Change Healthcare will be handling the reporting and notification requirements, rather than the providers that have been affected by the breach. That includes notifying OCR about the breach, issuing notifications to media outlets, reporting the breach to state Attorneys General, and issuing individual notifications.

As explained in the letter, since UHG has offered to handle the breach reporting requirements, it would be quick and easy for OCR to publicly state that UHG/Change Healthcare will be handling all reporting and notification requirements. OCR’s FAQ suggests that every affected provider contact UHG/Change Healthcare for information on how breach reporting will be handled; however, the providers affected are “so numerous that a specific number is not readily available.” The provider groups said, “Given the well-documented state of chaos in the provider community in the wake of this breach, OCR’s silence on this point is disappointing.”

They would like to be able to tell their members that they can rely on the offer from UHG to handle notifications and undertake related administrative requirements on behalf of any provider or customer, and request that OCR confirm that providers can rely on that statement and confirm that since “UHG bears sole responsibility for the breach, no breach notification requirements apply to any affected medical provider.”

They have also requested clarification from OCR regarding its investigations. “OCR should publicly state that their breach investigation and immediate efforts at remediation will be focused on Change Healthcare and not the providers affected by Change Healthcare’s breach.”

May 3, 2024: Senators Grill UHG CEO About Change Healthcare Cyberattack

At a House subcommittee hearing, UnitedHealth Group (UHG) CEO Andrew Witty was grilled by Senators over the Change Healthcare ransomware attack and confirmed that one-third of Americans may have been affected.

Witty opened by saying he was “deeply, deeply sorry,” for the attack and the disruption and financial strain placed on providers and the impact the attack has had on patients. He explained that he decided to pay the $22 million ransom and confirmed that compromised credentials were used to gain access to Change Healthcare’s systems, which were most likely purchased by the attacker on the dark web.

Credentials alone should not be sufficient to gain access to a system. Witty confirmed that the stolen credentials were for a Citrix portal used for remote access, and that access was made possible due to the lack of multifactor authentication (MFA). He said it is company policy to have MFA on all externally facing devices but MFA was missing on the Citrix portal, a fact known to the company’s head of cybersecurity. Witty confirmed that all externally facing systems now have MFA enabled.

Change Healthcare states on its website that its systems touch the data of one in three Americans so the data breach could potentially be huge – more than 110 million Americans. Witty was asked to disclose the scale of the breach but was reluctant to do so in case he was wrong, but when pressed to give an estimate, confirmed that a third of U.S. residents may be affected.

Senator Calls for Immediate Notifications for Potentially Affected Patients

U.S. Senator Maggie Hassan (D-NH) called for UHG to immediately notify patients whose data was potentially stolen in the Change Healthcare cyberattack. She reminded Witty of the UHG’s obligation under HIPAA to issue notifications when it is reasonably believed that protected health information has been exposed. That would mean notifications for all patients for whom Change Healthcare holds data.

“The attack happened on February 21st. The HIPAA deadline for reporting to the agency and to individuals was April 21st. It’s now May 1st,” said Senator Hassan. “Ten weeks is way too long for millions of Americans to not know that their records may be available to criminals on the dark web.” Many HIPAA-regulated entities take the view that the clock starts ticking on the date that it is confirmed that protected health information has been exposed, which is the date when the forensic investigation is completed, or as is increasingly common, the date when the review of all documents on the compromised network has been completed. That could be several months after the date of discovery of a security breach. Witty said that the complex nature of the investigation and review means it could well be several months before notifications can be issued.

At the hearing, Sen Hassan was able to get Witty to commit to waiving exclusivity clauses from contracts with Change Healthcare, which will make it easier for healthcare providers to make contingency plans and pivot quickly in the event of a future cyberattack on Change Healthcare.

Has Change Healthcare Become Too Big?

Sen. Ron Wyden (D-OR), chair of the Senate Finance Committee, and several other Senators criticized UHG over the speed at which security and systems are being updated. UHG acquired Change Healthcare in 2022 and the upgrades to systems and security have still not been completed. UHG was also criticized for the time it is taking to recover from the attack. While many of the core systems have now been restored, Witty said that older Change systems are still in the process of being restored.

“The Change hack is a dire warning about the consequences of ‘too big to fail’ mega-corporations gobbling up larger and larger shares of the health care system,” said Wyden. “It is long past time to do a comprehensive scrub of UHG’s anti-competitive practices, which likely prolonged the fallout from this hack.” Sen. Marsha Blackburn (R-TN) slammed Witty for the lack of preparedness for what many people believe was an inevitable cyberattack. In 2023, UHG generated around $22 billion in profit. “Your revenues are bigger than some countries’ GDP,” said Blackburn. “How in heaven’s name did you not have the necessary redundancies, so that you did not experience this attack and find yourself so vulnerable?”

The size of UHG was often referenced at the hearing, with Sen. Bill Cassidy (R-LA) suggesting that the dominance of UHG in healthcare markets created a special vulnerability and that the attack had an outsized ripple effect, with Sen. Elizabeth Warren (D-MA) criticizing UHG and calling it “a monopoly on steroids.”

April 30, 2024: UHG CEO to Testify Before House E&C Subcommittee About Change Healthcare Ransomware Attack

UnitedHealth Group (UHG) CEO Andrew Witty is due to testify before the House Energy and Commerce Oversight Investigations Subcommittee on Wednesday, May 1, 2024, about the Change Healthcare Ransomware attack. A copy of his written testimony is available here.

Witty said in his written testimony, “We have been working 24/7 from the day of the incident and have deployed the full resources of UnitedHealth Group on all aspects of our response and restoration efforts. I want this Committee and the American public to know that the people of UnitedHealth Group will not rest – I will not rest – until we fix this.”

He said UHG “repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year,” however, on February 12, 2024, one of those attacks succeeded and a threat actor gained access to the Change Healthcare network. Witty said the threat actor then “moved laterally within the systems in more sophisticated ways and exfiltrated data.” Ransomware was deployed 9 days after the initial intrusion on February 21, 2024, and data on Change Healthcare’s systems was encrypted, preventing access to those systems.

Witty said the perimeter was secured and UHG prevented the malware from spreading to the broader health system. Those efforts were successful, as the intrusion was confined to Change Healthcare and did not spread to any external environment, including Optum, UnitedHealthcare, and UHG. “We are working tirelessly to uncover and understand every detail we can, which we will use to make our cyber defenses stronger than ever,” explained Witty.

Witty also confirmed that the threat actor gained initial access to the Change Healthcare network using compromised credentials to remotely access a Change Healthcare Citrix portal used for remote access to desktops. The Citrix portal did not have multifactor authentication enabled. He explained that it was initially unclear how access had been gained, so the decision was taken to sever connectivity with Change Healthcare’s data centers. While that move was hugely disruptive, he said it was the right thing to do to contain the attack and limit the harm caused. He also confirmed that it was his decision to pay the ransom. The decision was “guided by the overriding priority to do everything possible to protect people’s personal health information,” and it was one of the hardest decisions he has ever had to make.

He also said that the complicated nature of the data review means it will likely take months to identify and notify the affected individuals. For the individuals affected, that means they could be at risk of identity theft and fraud long before they even find out if their data has been stolen. Witty said UHG is working with industry experts to monitor the Internet and dark web to determine if any of the stolen data is published, and “rather than waiting to complete this review, we are providing free credit monitoring and identity theft protections for two years, along with a dedicated call center staffed by clinicians to provide support services. Anyone concerned their data may have been impacted should visit changecybersupport.com for more information.”

UHG has now provided more than $6.5 billion in accelerated payments and interest-free loans to help providers who have been unable to file and collect insurance claims; however, many patients, hospitals, and health systems continue to be affected by the attack. UHG said in an April 22, 2024, press release that it would “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack,” and that UHG “has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer.” The American Hospital Association (AHA) and the Medical Group Management Association (MGMA) have called for OCR to hold UHG to its promise to send out breach notifications to the affected individuals.

April 23, 2024: UHG: Substantial Proportion of US Population May Be Affected by Change Healthcare Cyberattack

Andrew Witty, Chief Executive of UnitedHealth Group (UHG) has confirmed that a ransom was paid to prevent the publication of data stolen in the Change Healthcare cyberattack. While the amount paid was not disclosed, it has been widely reported that $22 million was paid to the Blackcat ransomware group behind the attack. The data was not deleted and was obtained by another ransomware group, RansomHub, which tried to extort Change Healthcare and UHG and then leaked screenshots of the stolen data when payment was not forthcoming.

UHG issued a statement confirming that based on the initial results of its investigation, protected health information and/or personally identifiable information was compromised in the attack. Details of the exact types of data involved have not been confirmed, although UHG said it has not found any evidence of exfiltration of doctors’ charts and full medical histories. UHG has yet to confirm the number of people affected by the breach, but has warned that it could cover, “a substantial proportion of people in America.” Change Healthcare states on its website that the information of one in three Americans is touched by its systems, which means it could be the largest ever healthcare data breach, potentially involving the protected health information of more than 100 million Americans.

As for when notifications will be issued, that too is unclear. It has almost been 60 days from the date of discovery of the cyberattack (February 21, 2024), but it was only confirmed on April 15, 2024, that protected health information had been breached. The review of the affected information is ongoing to determine how many individuals have been affected and the types of information involved. “Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals,” said UHG. “As the company continues to work with leading industry experts to analyze data involved in this cyberattack, it is immediately providing support and robust protections rather than waiting until the conclusion of the data review.” A dedicated website has been created with further information.

An update has also been provided on the restoration of Change Healthcare’s services. UHG said pharmacy services and medical claims across health systems are back to near-normal levels, although a small number of providers continue to be adversely affected. Payment processing is at approximately 86% of pre-incident levels, and around 80% of Change Healthcare’s functionality has now been restored. The remaining services are expected to be restored in the coming weeks.

Details of the nature of the breach have yet to be disclosed; however, The Wall Street Journal has reported that the hackers gained access to Change Healthcare’s systems 9 days before ransomware was deployed on February 21, 2024. According to the WSJ source, who is familiar with the attack, compromised credentials were used to access its systems, multifactor authentication was not enabled on the compromised account, and lateral movement occurred from February 12 to February 24, which would have allowed the attackers to gain access to significant amounts of data.

HHS Publishes Webpage with HIPAA FAQs Related to Change Healthcare Cyberattack

The HHS’ Office for Civil Rights has created a webpage to answer commonly asked questions about the Health Insurance Portability and Accountability Act (HIPAA) and the Change Healthcare ransomware attack. The webpage explains the rationale behind OCR’s ‘Dear Colleague’ letter about the cyberattack and the prompt opening of an investigation of Change Healthcare and UnitedHealth Group (UHG) to establish whether they were in compliance with the HIPAA Rules. OCR said action was taken quickly due to the widespread impact of the attack on healthcare providers and patients and the unprecedented impact on patient care and privacy.

OCR confirmed that its interest in other HIPAA-regulated entities in relation to the Change Healthcare cyberattack is secondary but reminded HIPAA-regulated entities that if they have business associate relationships with Change Healthcare or UHG, they must ensure they have business associate agreements in place and reminded them of their responsibility to ensure that protected health information (PHI) is safeguarded.

OCR confirmed that it has yet to receive any notification from Change Healthcare about a breach of PHI and confirmed that covered entities have up to 60 days from the date of discovery of a data breach to report any breaches of unsecured PHI. OCR said covered entities affected by the Change Healthcare cyberattack are required to issue breach notifications to the affected individuals and notify the Secretary of the HHS, and that those notifications should be issued without unreasonable delay and no later than 60 days from the date of discovery of a data breach. A notice is also required to be provided to the media. If a business associate experiences a data breach they must notify the covered entity within 60 days of discovery. The business associate should provide the covered entity, to the extent possible, with details of the breach and the affected individuals. The covered entity is responsible for issuing breach notifications when breaches occur at business associates, although they may delegate responsibility for doing so to the business associate.

HIPAA-regulated entities that have been affected by the Change Healthcare cyberattack should contact Change Healthcare/UHG if they have any questions about breach notifications to determine the extent to which Change Healthcare and UHG are willing to issue breach notifications on behalf of the affected organizations and how breach notification will occur. UHG has stated publicly that it is willing to help the affected entities with their breach notifications.

Scammers Target Nebraska Hospitals

Bryan Health has issued an alert after being notified by several patients who were contacted by people claiming to be representatives of hospitals in Nebraska telling them they are entitled to a refund related to the Change Healthcare cyberattack. The scammers ask for a credit card number to issue the refund. Bryan Health said its representatives would never ask for a credit card number over the phone to initiate a refund. Jeremy Nordquist, President, Nebraska Hospital Association (NHA), said “Nebraskans need to be vigilant for both them and their family members. If you are at all skeptical regarding the nature of a phone call, hang up and call your hospital directly.” The warning applies to all Americans. There are likely to be many scams related to the Change Healthcare cyberattack over the coming weeks and months.

April 17, 2024: Change Healthcare Investigates Potential Leak of Patient Data

Change Healthcare experienced an ALPHV/Blackcat ransomware attack and reportedly paid a $22 million ransom to prevent 6TB of stolen data from being leaked, only for the group to pull an exit scam and pocket the payment without paying the affiliate who conducted the attack.

A relatively new ransomware group – RansomHub – then issued a demand stating it had acquired the stolen data from the former ALPHV affiliate and required payment to prevent the data from being leaked. Payment has not been made and RansomHub has started to leak the stolen data. Screenshots have been leaked that appear to be data sharing agreements between Change Healthcare and several of its clients, and some files that include patient data.

The group claims it will sell the stolen data to the highest bidder in 5 days if Change Healthcare and UnitedHeath Group refuse to negotiate a suitable payment. Change Healthcare has confirmed it is aware of RansomHub’s threat but has yet to verify whether the leaked data was stolen in the February cyberattack. UnitedHealth Group has confirmed that personal health information and personally identifiable information were stolen in the attack and leading forensics experts have been engaged to review the affected files. The types of information exposed and the number of individuals affected have yet to be disclosed.

Providers Still Struggling Financially Due to Cyberattack

A survey conducted by the American Medical Association (AMA) has revealed that more than one-third (36%) of physician practices have seen claims payments suspended as a result of the ransomware attack, one-third (32%) have not been able to submit claims, two-fifths (39%) have not been able to obtain electronic remittance advice, and one-fifth (22%) have not been able to verify eligibility for benefits.

77% of respondents said they experienced service disruptions since the Change Healthcare ransomware attack and are still dealing with the effects of the attack. 80% of providers said they lost revenue from unpaid claims, 78% lost revenue from claims that they have been unable to submit, 55% have had to use personal funds to cover expenses incurred as a result of the attack, and 51% said they have lost revenue from the inability to charge patient co-pays or remaining obligations.

48% of respondents said they have had to enter new and potentially costly arrangements with alternative clearinghouses to conduct electronic transactions, and while some practices have been able to take advantage of advance payments, temporary funding assistance, and loans, issues persist with all of those measures.

“The disruption caused by this cyber-attack is causing tremendous financial strain,” said AMA President Jesse M. Ehrenfeld, MD, MPH. “These survey data show, in stark terms, that practices will close because of this incident, and patients will lose access to their physicians. The one-two punch of compounding Medicare cuts and inability to process claims as a result of this attack is devastating to physician practices that are already struggling to keep their doors open.”

Lawmakers Seek Answers on What Went Wrong

On April 8, 2024, Senators Josh Hawley (R-MO), ranking member of the Senate Judiciary Subcommittee on Privacy, Technology and the Law, and Subcommittee Chair, Richard Blumenthal (D-CT), wrote to UnitedHealth Group Chief Executive Officer Andrew Witty seeking answers about the attack. One of the key questions was why there was a lack of redundancy to prevent a major outage. The Senators also requested information about how its network was breached, asked for a timeline of events following the attack, and wanted to who about the steps UnitedHealth Group is taking to fill the revenue gap providers are experiencing and what is being done to identify the providers and patients whose data was stolen in the attack. The Senators requested answers before April 15, 2024.

On April 15, 2024, members of the House of Representatives Committee on Energy and Commerce wrote to Andrew Witty demanding answers to a long list of questions about the status and impact of the cyberattack and system restoration, the identification and immediate response to the cyberattack, the cybersecurity protocols and dedicated resources in place, the response to the healthcare community, and requested updates on the recovery by April 29, 2024.

At an April 16, 2024, hearing before the Energy and Commerce Health Subcommittee, Subcommittee Ranking Member Anna G. Eshoo (D-CA) criticized UnitedHealth Group over its acquisition of Change Healthcare – an acquisition that was opposed by the Department of Justice. “The attack shows how UnitedHealth’s anti-competitive practices present a national security risk because its operations now extend through every point of our health care system,” said Rep. Eshoo. “The cyberattack laid bare the vulnerability of our nation’s health care infrastructure.” Questions were also asked about whether the government allowed UnitedHealth Group was allowed to become too dominant through its mergers and acquisitions and whether enough was done to prevent inevitable cyberattacks given how big a target Change Healthcare is. UnitedHealth Group was asked to attend the hearing, but no representative turned up.

UnitedHealth Group Anticipates $1.6 Billion Loss This Year Due to Ransomware Attack

UnitedHealth Group has spent around $872 million in Q1, 2024, responding to the Change Healthcare ransomware attack, with $593 million spent on direct-response costs and $279 million lost due to business disruption. UnitedHealth has also provided $6 billion in temporary, interest-free funding to providers affected by the outages who have been unable to bill for their services and anticipates the costs in 2024 to increase to between $1.35 billion and $1.6 billion. Despite the losses due to the cyberattack, UnitedHealth Group has exceeded expectations in Q1, 2024, with revenues up $8 billion year-over-year.

April 8, 2024: New Ransomware Group Claims to Have Data from Change Healthcare Ransomware Attack

The ALPHV/Blackcat affiliate behind the Change Healthcare ransomware attack has claimed not to have been paid a share of the $22 million ransom payment and the ALPHV ransomware operation has since been shut down. The affiliate, who operates under the name notchy, claimed to hold a copy of the 6TB of data stolen in the attack; however, the data does not appear to have been publicly leaked and cybersecurity researchers have not identified any attempts to sell the data, and Notchy has been quiet since making the initial claims and appears to be laying low.

There have been some developments, however. A new ransomware group called Ransom Hub has emerged that has issued a ransom demand to Change Healthcare, Optum Group, and UnitedHealth Group. The Ransom Hub post, which was found by security researcher Dominic Alvieri, states that ALPHV stole the $22 million that was paid to prevent the release of the stolen data and that ALPHV does not hold the stolen data.

Ransom Hub claims to have the only copy of the stolen data and the post lists some of the affected healthcare providers. Ransom Hub is threatening to leak the stolen data and has given Change Healthcare and UnitedHealth Group 12 days to pay the ransom. “Change Healthcare and United Health you have one chance in protecting your clients data,” said Ransom Hub on its dark web site. “The data has not been leaked anywhere and any decent threat intelligence would confirm that the data has not been shared nor posted.”

Vx-underground engaged with the Ransom Hub group, which claimed to have recruited previous ALPHV affiliates, suggesting that notchy may be one of the affiliates that has joined the operation; however, there are other possible explanations as VX Underground explained, “it is not clear if RansomHub is a rebrand of ALPHV ransomware group, the affiliate at ALPHV is moving to RansomHub, or if this is a scam by RansomHub ransomware group trying to intimidate Change Healthcare into paying again.”

“Ransomware payouts is a tricky business because you’re dealing with criminals who can’t be trusted. Various theories exist on recent reports that RansomHub is now claiming data from United Health and Change HealthCare, which was recently breached by AlphV,” Ken Dunham, Cyber Threat Director at Qualys Threat Research Unit told The HIPAA Journal. “This can be explained through shifts in the criminal marketplace, lying by bad actors, multiple compromises, or other scenarios. It is not uncommon, as an incident responder, to discover not just one threat inside of a compromised environment, but two or more. It is also not uncommon for companies that give in to bad actors performing extortion, such as ransomware and DDoS payouts, to become “soft targets”, quickly hit again with additional forms of extortion again and again.”

Change Healthcare Seeks Consolidation of Lawsuits

Lawsuits against Change Healthcare have been mounting, with at least two dozen lawsuits now filed in response to the attack and data breach. The lawsuits have been filed by patients who claim their sensitive data was stolen in the attack and by healthcare providers who have been affected by the prolonged outage of Change Healthcare’s systems. Change Healthcare has responded by filing a motion that seeks consolidation and transfer of the lawsuits to Change Healthcare’s home district, the United States District Court for the Middle District of Tennessee. While lawsuits have been filed by individuals and providers, Change Healthcare has asked the court to consolidate all lawsuits, since they include common factual and legal issues arising from the attack and they assert substantially identical causes of actions.

According to Change Healthcare, consolidating the lawsuits will prevent duplicative discovery, inconsistent pretrial rulings, and will conserve the resources of the parties and the courts, and the Middle District of Tennessee has the strongest connection to the litigation. The only common defendant in each of the actions is Change Healthcare, which is headquartered in Tennessee, where key custodians, witnesses, and evidence are also located. The Middle District of Tennessee is also where the first action was filed, along with around half of the subsequent actions.

The lawsuits filed by individuals and providers all make similar allegations – That Change Healthcare failed to implement reasonable and appropriate cybersecurity measures to prevent unauthorized access to its network, something that Change Healthcare denies. “All the actions are based on the incorrect and unfounded theory that, because a cyberattack occurred, Change’s security must have been deficient and plaintiffs must have been have harmed,” said Change Healthcare in its filing.

At least 13 lawsuits have been now filed by individuals whose data was allegedly stolen in the attack. They claim that they face an imminent and heightened risk of identity theft and fraud as a result of the theft of their data. At least 11 lawsuits have been filed by healthcare providers who were affected by the outages at Change Healthcare, that caused a delay in insurance claims and has threatened the viability of their businesses.

Disruption Continues to Be Experienced by Providers Despite Restoration of Change Healthcare Systems

Many of Change Healthcare’s systems have now been restored, with the remainder expected to be restored in the next few weeks. The latest update on April 5, 2024, said medical network and transaction services such as Pharmacy solutions, Exchange clearinghouse, Assurance Reimbursement Management, Clearance Patient Access Suite, and Reimbursement Manager, as well as claims and eligibility transactions are being prioritized.

While medical claims are now flowing through Change Healthcare’s network, providers are still facing delays due to the substantial billing backlog and the unavailability of certain systems. Change Healthcare’s Assurance and Relay Exchange clearinghouses are back online and have been for a few weeks; however, it has taken time for commercial payers and government payers to reconnect the claims network, with providers across the country still waiting for many claims to be paid. UnitedHealth Group has continued to offer financial assistance and has provided more than $4.7 billion in temporary financial assistance to the affected providers.

March 29, 2024: UnitedHealth Group Confirms Data Stolen in Change Healthcare Ransomware Attack

It has been more than 5 weeks since Change Healthcare suffered a Blackcat ransomware attack. The ALPHV/BlackCat is known to exfiltrate data in its attacks, the group claimed to have stolen 6TB of data, and a ransom of $22 million was paid to a Blackcat account to prevent the release of the stolen data. The affiliate behind the attack claimed not to have been paid for the attack, the ALPHV/Blackcat group said the ransom was seized by law enforcement and was never received, and the affiliate claimed to hold a copy of the stolen data still.

Neither Change Healthcare nor its parent company, UnitedHealth Group, have publicly disclosed whether a ransom was paid but UnitedHealth Group has now confirmed that data was stolen in the attack. UnitedHealth Group said it has started analyzing the exfiltrated files to determine how many individuals have been affected and the types of data involved. UnitedHealth Group said it was unable to confirm whether data had been stolen until now as Change Healthcare’s systems were difficult to access and it was not safe to pull any data out of those systems directly. The delay was due to the time taken to complete mounting and decompression procedures, but a dataset has now been obtained that can be safely accessed and analyzed.

No timescale has been provided so far about when that analysis will be completed but UnitedHealth Group said attention is focused on the data review. While it is currently unclear what types of data were stolen in the attack, UnitedHealth Group said personally identifiable health information, eligibility and claims information, and financial information are likely to have been compromised. So far, UnitedHealth Group has not identified the publication of any of the stolen data on the dark web.

Key systems have now been restored but many Change Healthcare IT products and services remain offline. UnitedHealth Group said substantial progress has been made in recovering those systems, with eligibility processing, clinical data exchange, and retrospective episode-based payment models expected to be restored in the next 3 weeks. United Health Group has also confirmed that it has paid out more than $3.3 billion in loans to healthcare providers under its temporary funding program to help ease the financial strain caused by delays to the processing of insurance claims and providers will have 45 days to pay back the loans. 40% of the $3.3 billion has been provided to safety net hospitals and federally qualified health centers that serve high-risk patients and communities.

HHS Issues Guidance for Providers Affected by Change Healthcare Ransomware Attack

The Department of Health and Human Services (HHS), Centers for Medicare and Medicaid Services (CMS), and the Administration for Strategic Preparedness and Response (ASPR) have issued guidance to help entities impacted by the Change Healthcare ransomware attack.

The attack forced Change Healthcare to take more than 100 systems and services offline, and those systems have remained offline for several weeks. While key products and services have been restored, some Change Healthcare systems are still offline. It is likely to take several more weeks before all services are restored. HHS Deputy Secretary Andrea Palm, ASPR Administrator and Assistant Secretary Dawn O’Connell, and CMS Administrator Chiquita Brooks-LaSure said they continue to hear from providers who are still experiencing difficulty getting answers from healthcare plans about the availability of prospective payments or the flexibilities that may be needed while Change Healthcare’s systems remain unavailable.

They explained that the HHS has asked health plans to provide national contact information that the affected providers can use, and have shared resources to help affected providers get the answers they need. Affected providers have been urged to try to get answers from regional points of contact for their health plans in the first instance, and to use the provided contact information if they are unable to get a response.

They have also taken the opportunity to remind healthcare providers about the HHS voluntary Healthcare and Public Health Cybersecurity Performance Goals, which will help them to strengthen preparedness, improve resiliency against cyberattacks, and better protect patient health information.

Department of State Offers $10 Million Reward for Information on ALPHV/Blackcat Ransomware Group

The U.S. Department of State has confirmed that there is a reward of up to $10 million for information leading to the identification or location of any individual linked to the ALPHV/Blackcat ransomware group, their affiliates, or links to a foreign government under the Rewards for Justice (RFJ) program.

March 25, 2024: Clarification Sought from OCR About Change Healthcare Ransomware Breach Notifications

The American Hospital Association (AHA) has written to the Department of Health and Human Services seeking clarification about data breach notifications, should it turn out that protected health information has been compromised.  OCR recently announced that due to the impact of the Change Healthcare ransomware attack, the decision had been taken to investigate Change Healthcare promptly to establish whether it was compliant with the HIPAA Rules. In a “Dear Colleague” letter, OCR Director Melanie Fontes Rainer said, “While OCR is not prioritizing investigations of health care providers, health plans, and business associates that were tied to or impacted by this attack, we are reminding entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA Rules.”

The AHA expressed concern about Fontes Rainer’s statement and is seeking clarification on which entities need to issue notifications. The AHA explained in the letter that Change Healthcare is a covered entity and, as such, has a duty to notify OCR and the affected individuals about any data breach, even in cases where Change Healthcare acts as a business associate. “We remain concerned, however, that OCR may require hospitals to make breach notifications to HHS and affected individuals, if it is later determined that a breach occurred,” stated the AHA in the letter. “We are seeking additional clarification that hospitals and other providers do not have to make additional notifications if UnitedHealth Group and Change Healthcare are doing so already… our concern is simply that requiring breach notifications in these circumstances will confuse patients and impose unnecessary costs on hospitals, particularly when they have already suffered so greatly from this attack.

The Washington State Hospital Association (WSHA) has also been contacted by its members who have expressed concern about the notification requirements after reading OCR’s letter. With respect to the business associate agreement and notification warnings in the letter, WSHA said, “This statement reminds hospitals they can get ahead of this issue by reviewing now the various sets of obligations on both their part and the part of Change contained in the BAAs they have in place. Examples of these obligations include breach notification timing and who provides the notice, indemnification, and insurance requirements.”

Patients Report Scam Calls Following Change Healthcare Cyberattack

The Minnesota Hospital Association and Minnesota Attorney General have issued warnings as scammers appear to be targeting patients affected by the Change Healthcare ransomware attack. Patients have reported receiving calls from individuals claiming to be representatives from hospitals, clinics, and pharmacies who are offering refunds or demanding payment. While these calls could indicate that data stolen in the attack is already being misused, it could just be opportunists taking advantage of the situation. Lou Ann Olson of the MHA urged everyone to exercise caution and be wary of scams. “Your hospital will not call or email you to ask for a credit card number,” said Olson. She urged patients to contact their healthcare provider directly if they receive a call, text, or email related to the Change Healthcare cyberattack.

Change Healthcare Criticized for Slow Recovery

Cybersecurity experts have criticized Change Healthcare over its response to the cyberattack, which has caused outages lasting more than 4 weeks. While around 20 services have now resumed, more than 100 are still offline. While it is not unusual for a recovery from a ransomware attack to take several weeks, the extent to which Change Healthcare’s systems are used by healthcare providers means the impact has been far-reaching, and as such, Change Healthcare should have been aware of this and been better prepared to ensure that disruption was minimized.

“The fact that it has taken a company that provides such a critical service so long to recover is obviously a concern. Not only the time it took to recover its IT systems, but the fact that it seemingly didn’t have a backup plan that could be quickly and speedily put in place,” said Emsisoft threat analyst, Brett Callow. Other cybersecurity experts have questioned whether appropriate backups were in place and if an incident response plan was in place that had been properly tested.

UnitedHealth Provides $2.5B in Financial Assistance to Affected Providers and Starts Working on $14M Claims Backlog

UnitedHealth Group has confirmed that it has advanced more than $2.5 billion to healthcare providers affected by the outages at Change Healthcare and has software due to be made available to help with claims preparations. “We recognize the event has caused different levels of impact among providers; therefore, we continue to offer temporary funding assistance at no cost,” the company said. “We know many providers, especially smaller practices, are struggling, and we encourage those who need further assistance to access these resources.”

UHG also said on March 22, 2024, that it expected its biggest clearinghouses to be back online during the weekend, and that the backlog of more than $14 billion in claims will start to flow soon afterwards.

March 15, 2024: UHG Identifies Attack Vector Used in Change Healthcare Ransomware Attack

UnitedHealth Group (UHG) has confirmed that the cybersecurity firms Mandiant and Palo Alto Networks are assisting with the forensic investigation and that the investigation into the February 21, 2024, ransomware attack on Change Healthcare is well underway. UHG has also confirmed that the forensic investigation has uncovered the source of the intrusion. After identifying the initial attack vector, UHG identified a safe restore point and can now work on restoring the systems that are currently non-operational and can start recovering data.

At this stage, UHG has not publicly disclosed the initial attack vector. There was speculation in the days immediately after the attack that two recently disclosed vulnerabilities in ConnectWise ScreenConnect were exploited in the attack. Those vulnerabilities were discovered on February 15, and notifications about the flaws were issued on February 19, just a couple of days before the LockBit ransomware attack on Change Healthcare was detected. UHG said it will be sharing further information on its investigation and recovery in the coming days, but it is unclear whether that will include the attack vector. Typically, victims of cyberattacks do not publicly disclose exactly how their systems were breached.

UHG has confirmed that it has stood up new instances of its Rx Connect (Switch) and Rx ePrescribing services and it has begun enabling its Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity. On March 13, 2024, UHG said all major pharmacy and payment systems are up and more than 99% of pre-incident claim volume is flowing.

March 11, 2024: UnitedHealth Group Expands Financial Assistance Program and Provides Timeline for Recovery

On March 8, 2024, more than 2 weeks after the Change Healthcare ransomware attack, UnitedHealth Group provided a timeline on when it expects to have restored its systems and services. UnitedHealth Group said its electronic prescribing service is now fully functional and has been since Thursday; however, electronic payments are not expected to be available until March 15, 2024. Testing of the claims network and software will commence on March 18, and services are expected to be restored throughout that week.

UnitedHealth Group has also confirmed that its financial assistance program, provided through Optum, has been expanded to include providers that have exhausted all available connection options as well as those that work with payers who will not advance finances during the outage. The financial assistance program will see advance payments made each week based on providers’ historic payment levels and those following the cyberattack. UnitedHealth Group was criticized for the onerous terms of its financial assistance program which was made available a week after the attack, but confirmed that the funds will not need to be repaid until claims flows have completely resumed. When that happens, providers will be sent an invoice and will be given 30 days to repay the funds.

Prior authorizations are being suspended for most outpatient services for Medicare Advantage plans, utilization reviews for inpatient admissions are being put on hold until March 31, 2024, and drug formulary exception review is suspended for Medicare Part D pharmacy benefits. Pharmacies affected by the outage have been notified by Optum Rx that pharmacy benefit manager will reimburse them for claims filled during the outage “with the good faith understanding that a medication would be covered.”

“We are committed to providing relief for people affected by this malicious attack on the U.S. health system,” said Andrew Witty, CEO, UnitedHealth Group. “All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”

The additional measures have been welcomed but the American Medical Association (AMA) has warned that physician practices are still likely to face significant challenges. “The AMA agrees with UnitedHealth’s call for all payers to advance funds to physicians as the most effective way to preserve medical practice viability during the financial disruption, especially for practices that have been unable to establish workarounds to bridge the claims flow gap until the Change Healthcare network is re-established,” said the AMA. “While providing needed information on timelines and new financial measures is helpful, UnitedHealth Group has more work to do to address physician concerns. Full transparency and security assurances will be critical before connections are re-established with the Change Healthcare network.”

March 5, 2024: UnitedHealth Group Offers Temporary Funding Assistance in Response to Change Healthcare Ransomware Attack

UnitedHealth Group, the parent company of Change Healthcare, has set up a temporary financial assistance program for customers affected by the Change Healthcare ransomware attack. The program will help providers who have been unable to receive payments due to the outage at Change Healthcare. Under the financial assistance program, providers that receive payments processed by Change Healthcare will be able to apply for temporary funding through Optum Financial Services. If applications are made for temporary funding, they will be paid based on prior claims volume and will be interest-free and fee-free.

“We understand the urgency of resuming payment operations and continuing the flow of payments through the health care ecosystem,” Explained UnitedHealth. “While we are working to resume standard payment operations, we recognize that some providers who receive payments from payers that were processed by Change Healthcare may need more immediate access to funding.”

The financial assistance program is only available for providers who have been affected by the disruption to payment distribution. Financial assistance is not being offered to providers that have faced claims submission disruption, therefore, only a small number of providers will qualify for assistance. The terms of the financial assistance program are also worrying. Any funds provided will need to be paid back when normal operations resume and repayments will need to be made within 5 days of receiving notice. The terms of the financial assistance include allowing Optum Financial Services to take back the funds without advance communication.

While the move has been welcomed by provider groups, they say it will do little to alleviate the financial strain on many of the affected providers who are experiencing severe cash flow problems due to the increased workload from having to implement workarounds for filing claims and prior authorization requests. The American Hospital Association (AHA) said the assistance being offered “falls far short of plugging the gaping holes in funding caused by the Change Healthcare outage.” The assistance being offered only addresses one of the two problems caused by the Change Healthcare outage.  It helps address the problem of payers being unable to pay via Change Healthcare, although the AHA said the terms and conditions are “shockingly onerous.” The AHA said no assistance is being offered at present to ease the burden on providers who are unable to bill payers in a timely manner due to the ongoing disruption of Change Healthcare’s clearinghouse and claims submission systems.

The recovery process has been slow for Change Healthcare. The Blackcat ransomware attack caused an outage that has lasted for almost 2 weeks. On March 1, 2024, Change Healthcare confirmed that it had set up a new instance of its Rx ePrescribing service and had successfully tested the new instance with vendors and retail pharmacies; however, the Clinical Exchange ePrescribing provider tools remain offline, as do around 100 of Change Healthcare’s IT products.

There have been reports in the media that indicate Optum paid a $22 million ransom payment to the ALPHV/Blackcat ransomware group for the decryption key and to ensure that the stolen data is deleted. The affiliate behind the attack claims that the ALPHV/Blackcat group stole the ransom and has now shut down the operation. The affiliate claims to have 4TB of the data stolen from Change Healthcare.

UnitedHealth Provides Update on Incident Response and Recovery

UnitedHealth Group has provided further updates on the recovery process. On March 1, 2024, a new instance of Change Healthcare’s Rx ePrescribing service was made available and UnitedHealth Group said it has already processed more than 3 million transactions, and volume is increasing daily as more system vendors reconnect. Workarounds are continuing to be deployed for claims, and UnitedHealth Group says 90% of claims are now flowing uninterrupted, with claims expected to increase to around 95% by next week (w/c 3/11); however, there are still issues with Change Healthcare’s payment capabilities although progress is being made on restoring them. “Our teams have been diligently working on restoration of the core environment. We expect our data center rebuild and restoration of database center services to be complete this week,” explained UnitedHealth Group. “From there, we will turn our full attention to application and service restoration.”

On March 7, UnitedHealth Group said a new instance of the Rx Connect (Switch) service is now online and it is actively working to restore full service and connectivity claim traffic and has begun enabling Rx Connect, Rx Edit, and Rx Assist services, which are now available for customers who have configured direct internet access connectivity.

While progress is being made on restoring services, attention will soon turn to the scale of the data breach. Given that Change Healthcare processes 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions, this could turn out to be one of the largest healthcare data breaches of all time. At least 5 class action lawsuits have already been filed in Tennessee and Minnesota on behalf of patients who allege their information was stolen in the attack, and that number is expected to continue to grow as the extent of the data breach becomes clear.

March 2, 2024: Change Healthcare Confirms Blackcat Ransomware Attack as Rx ePrescribing Service Reestablished

The Blackcat ransomware ground claims to have stolen a vast amount of data from Change Healthcare in the recent cyberattack. In a statement posted, and later removed, from its data leak site, a member of the group claimed to have stolen 6TB of data from UnitedHealth, which the group alleges includes “highly selective data”  from all Change Healthcare clients, including Medicare, CVS Caremark, Health Net, and Tricare, the U.S. military medical health agency. Screenshots of some of the data were shared as proof of data theft. The group also claims to have stolen the source code of Change Healthcare applications.  The group claims to have stolen the data of millions of patients, including medical records, insurance records, dental records, payment information, claims information, and patients’ PHI, including health data, contact information, and Social Security numbers.

Change Healthcare has yet to determine the extent of any data breach at this early stage of its investigation. Ransomware groups usually threaten to publicly release data to pressure victims into paying the ransom, and listings are often added when victims refuse to negotiate or when negotiations break down. The rapid removal of the listing suggests that Change Healthcare is in touch with the group, although there could be other reasons for the removal of the data.

In an update on February 28, 2024, Change Healthcare confirmed that disruptions have continued for a 9th day, with some applications still experiencing connectivity issues. Change Healthcare also said it has a high level of confidence that Optum, UnitedHealthcare, and UnitedHealth Group systems were not compromised and the breach appears to be limited to Change Healthcare, with none of its clients’ systems breached.

In a February 29, 2024 update, Change Healthcare confirmed that this was an ALPHV/Blackcat ransomware attack. “Change Healthcare can confirm we are experiencing a cybersecurity issue perpetrated by a cybercrime threat actor who has represented itself to us as ALPHV/Blackcat. Our experts are working to address the matter and we are working closely with law enforcement and leading third-party consultants, Mandiant and Palo Alto Network, on this attack against Change Healthcare’s systems. We are actively working to understand the impact to members, patients and customers.”

While not specifically referencing the Change Healthcare cyberattack, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) issued a joint cybersecurity alert on February 27 warning about increased attacks on the healthcare sector by the Blackcat/ALPHV ransomware group. 70 victims have been listed on the group’s data leak site since December 2023, and the healthcare sector has been the most commonly attacked sector.

In a March 1, 2024 update, Change Healthcare explained that a new instance of its ePrescribing service has been stood up, although Clinical Exchange ePrescribing providers’ tools are still not operational. “Working with technology and business partners, we have successfully completed testing with vendors and multiple retail pharmacy partners for the impacted transaction types,” explained Change Healthcare in a March 1, 2024 status update. “As a result, we have enabled this service for all customers effective 1 p.m. CT, Friday, March 1, 2024. If you encounter issues following the activation of this script routing service, contact our support team through your normal channels or submit an online ticket via our support portal.”

February 27, 2024: Blackcat Ransomware Group Behind Change Healthcare Cyberattack

The disruption at Change Healthcare has continued into the seventh day after its February 21 cyberattack, with pharmacies across the country still struggling to process prescriptions. With Change Healthcare’s systems out of action, pharmacies have been unable to transmit insurance claims and now have significant backlogs of prescriptions that cannot be processed. On Monday, Change Healthcare confirmed that the attack is still affecting 117 of its applications and components.

Change Healthcare/Optum has been providing daily updates and has confirmed that the disruption is continuing. “We are working on multiple approaches to restore the impacted environment and will not take any shortcuts or take any additional risk as we bring our systems back online,” explained Change Healthcare in its February 26, 204 update. “We will continue to be proactive and aggressive with all our systems and if we suspect any issue with the system, we will immediately take action and disconnect. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.”

Change Healthcare has engaged the services of Alphabet’s cybersecurity unit, Mandiant, which is assisting with the investigation and remediation of the cyberattack. While neither Change Healthcare nor Mandiant have commented on the nature of the attack, Reuters has reported that two sources familiar with the incident have confirmed that this was a ransomware attack and that the ALPHV/Blackcat ransomware group is responsible. On February 27, 2024, a member of the Blakcat group confirmed that they were behind the attack.

Blackcat is known to engage in double extortion tactics, where sensitive data is exfiltrated before ransomware is used to encrypt files. Ransoms must be paid to recover encrypted files and to prevent the release of stolen data, so there is likely to have been a data breach although that has not been confirmed by Change Healthcare at this stage.

In December 2023, the Blackcat group was the subject of a US-led law enforcement operation that took down websites used by the group. The group issued a statement following the attack stating that in response to the takedown it has removed affiliate restrictions and now allows them to conduct attacks on critical infrastructure entities and healthcare organizations. It should be noted that the “rule” on not targeting healthcare organizations was not strictly followed before the takedown, as the group has conducted several attacks on healthcare organizations including McLaren Health Care and Norton Healthcare in 2023.

In early updates on the nature of the attack, Change Healthcare said it suspected that the attack was the work of a nation-state-associated actor; however, that appears not to be the case. ALPHV/Blackcat is a financially motivated cybercriminal group with no known links to any nation state. There have also been media reports suggesting the attack involved the exploitation of a vulnerability in ConnectWise’s ScreenConnect app. ConnectWise issued a statement saying Change Healthcare does not appear to be a direct customer, although it is possible that ConnectWise was used by a managed service provider. At this stage, no MSP partners have come forward and confirmed a breach that impacted Change Healthcare.

February 22, 2024: Change Healthcare Responding to Cyberattack

Change Healthcare, a Nashville, TN-based provider of healthcare billing and data systems, has confirmed that it is dealing with a cyberattack that has caused network disruption. The attack was detected on February 21, 2024, and immediate action was taken to contain the incident and prevent further impacts.

“Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact,” explained Change Healthcare on its status page.  The Change Healthcare cyberattack has caused enterprise-wide connectivity issues and cybersecurity experts are working around the clock to mitigate the attack and restore the affected systems.

UnitedHealth Group owns Change Healthcare and the healthcare provider Optum. Change Healthcare provides prescription processing services through Optum which provides services to over 67,000 U.S. pharmacies and serves 129 million patients. Change Healthcare handles more than 15 billion healthcare transactions each year and says one in three patient records in the United States are touched by its clinical connectivity solutions. Change Healthcare is used by Tricare, the healthcare provider of the U.S. military, and all military pharmacies, clinics, and hospitals have been affected by the disruption caused by the Change Healthcare cyberattack, and retail pharmacies across the country are experiencing delays processing prescriptions and have been unable to send orders through insurance plans.

In a regulatory filing with the U.S. Securities and Exchange Commission (SEC) on Thursday, UnitedHealth confirmed that confirming that Change Healthcare had experienced a cyberattack that affected dozens of systems. At this stage of the incident response, it is too early to tell if any patient data has been exposed or stolen in the attack and neither UnitedHealth nor Change Healthcare could provide a timeline on when systems will be brought back online.

UnitedHealth said in its SEC filing that it suspects the cyberattack was conducted by a nation state, rather than a cybercriminal group, but did not provide further information on how that determination was made. That announcement is concerning, given the recent warnings about China maintaining access to critical infrastructure entities in the U.S. and the new sanctions due to be imposed on Russia in response to the death of Alexei Navalny.

There are also fears that the cyberattack could extend to the pharmacies connected to the Optum system. The American Hospital Association (AHA) has issued a warning to all members that they should immediately disconnect from the Optum system as a precaution. “We recommend that all healthcare organizations that were disrupted or are potentially exposed by this incident consider disconnection from Optum until it is independently deemed safe to reconnect to Optum,” the AHA said, and in the meantime switch to manual processes.

What is HIPAA and does this Cyberattack Break the Law?

All healthcare organizations that conduct transactions electronically that involve protected health information are required to comply with the Health Insurance Portability and Accountability Act (HIPAA), which sets minimum standards for privacy and security. The HIPAA Privacy Rule prohibits disclosures of protected health information to unauthorized individuals and the HIPAA Security Rule requires safeguards to be implemented to ensure the confidentiality, integrity, and availability of electronic protected health information.

If an unauthorized individual gains access to systems containing protected health information, it is classed as an impermissible disclosure of protected health information and is a reportable HIPAA breach. A cyberattack that results in access being gained to protected health information is not necessarily a HIPAA violation. The HIPAA Security Rule requires risks and vulnerabilities to be identified, and for those risks to be managed and reduced to a reasonable and appropriate level. The HIPAA Security Rule does not require risks and vulnerabilities to be eradicated entirely.

The first priority following the detection of unauthorized system activity should be to contain the incident and ensure that the threat actor is eradicated from internal systems. Systems must be safely brought back online and the nature and scope of the incident established through a forensic investigation. If it is determined that patient data has been exposed, the breach must be reported to the Department of Health and Human Services (HHS) and the affected individuals must be provided with individual notifications within 60 days of the discovery of a data breach. The HHS investigates all data breaches of over 500 records to determine if they were the result of a failure to comply with the HIPAA Rules and financial penalties can be imposed for noncompliance.

The HIPAA Journal will update this post as more information about the incident comes to light, so please check back over the coming days and months.

The post Provider Associations Seek Clarity on Notification Responsibilities for Change Healthcare Breach appeared first on The HIPAA Journal.

Harvard Pilgrim Health Care has confirmed that the information of 2,632,275 individuals was compromised in an April 2023 ransomware attack, increasing the previous total by 81,353. In updated notices submitted to the Attorneys General in California and Maine this month, Harvard Pilgrim Health Care explained that the attack was detected on April 17, 2023, and action was immediately taken to contain the threat and prevent further unauthorized access to its systems. Law enforcement and regulators were notified, and third-party cybersecurity experts were engaged to assist with its investigation and remediation efforts.

Harvard Pilgrim Health Care said the cybercriminal group behind the attack exfiltrated data from its systems between March 28, 2023, and April 17, 2023. The systems accessed by the attackers were used to service members, accounts, brokers, and providers, which contained names, Social Security numbers, and financial information. Harvard Pilgrim Health Care started notifying the affected individuals on May 23, 2023 and disclosed the breach to media organizations serving all 50 states. On June 15, individual notification letters started to be mailed to the affected individuals. As the investigation progressed it became clear that other individuals had been affected.  Harvard Pilgrim Health Care has offered complimentary credit monitoring and identity theft protection services to the affected individuals and has implemented additional cybersecurity safeguards to prevent similar breaches in the future.

Coleman Professional Services Inc. Reports Breach of Employee Email Accounts

Coleman Professional Services, Inc., an Ohio-based provider of behavioral health services, has reported a breach of its email environment. On December 14, 2023, Coleman learned that an unauthorized third party had gained access to several employee email accounts. The forensic investigation confirmed the accounts were accessed by an unauthorized third party between September 18, 2023, and October 31, 2023.

The forensic investigation could not confirm whether any patient data was viewed or acquired, but the review of the affected accounts confirmed that they contained the protected health information of 51,889 individuals. The types of information exposed varied from individual to individual and may have included first and last names, dates of birth, Social Security numbers, driver’s license numbers, financial information, and, in some cases, health information. Identity theft protection services have been offered to the affected individuals. Coleman has also taken additional steps to prevent unauthorized individuals from accessing its employee email accounts.

North Hill Communities Report Cyberattack and Data Breach

North Hill, including North Hill Communities, Inc., North Hill Home Health Care, Inc., North Hill Needham, Inc., Connected for Life, Inc., and the North Hill Employee Dental Plan, has confirmed that the personal and protected health information of up to 4,798 individuals was potentially compromised in a December 2023 cyberattack.

The attack was detected on December 26, 2023, and the forensic investigation confirmed that its network had been compromised by an unauthorized third party on December 19, 2023. North Hill said it was not possible to determine whether personal or protected health information was accessed or acquired but did determine that the compromised parts of its network contained sensitive data. The exposed data included names in combination with one or more of the following: date of birth, date of death (if applicable), address, Social Security number, phone number, admission date, health insurance information, medical record number, treatment dates, financial account/bank account number, driver’s license number, claims information, and medical information.

North Hill started notifying the affected individuals on February 14, 2023 and is covering the cost of Single Bureau Credit Monitoring/Single Bureau Credit. Additional security detection and monitoring solutions are being implemented to help prevent similar occurrences in the future.

Advarra Inc. Reports Email Account Breach

Advarra Inc., a provider of integrated research compliance solutions, has reported a breach of the personal and protected health information of 4,656 individuals. On October 26, 2023, Advarra identified suspicious activity in an employee email account. The investigation confirmed that a single account was breached on October 25, 2023, and company and personal information in the account was acquired by an unauthorized third party. That information included names and Social Security numbers. Advarra is unaware of any actual or attempted misuse of data but has offered the affected individuals complimentary credit monitoring and identity theft protection services as a precaution.

The post Harvard Pilgrim Health Care Ransomware Victim Count Rises to 2.6 Million appeared first on HIPAA Journal.

Data breaches have recently been reported by the Hampton-Newport News Community Services Board, Marywood Nursing Care Center, Health Alliance, United Regional Health Care System, Nabholz Construction, and J.D. Gilmour & Co.

Hampton-Newport News Community Services Board

The Hampton-Newport News Community Services Board, a Virginia-based provider of behavioral health and intellectual and developmental disability services, has notified 44,312 individuals that some of their protected health information was compromised in a recent ransomware attack. Technical disruptions were experienced on November 12, 2023, and it soon became clear that the disruption was due to the use of ransomware. Third-party cybersecurity experts were engaged to assist with the investigation and remediation, and they determined that the attackers gained access to its network on September 26, 2023.

A review was conducted of all files that could have been accessed which confirmed that patient data had been exposed.  The exposed data varied from patient to patient and may have included names in combination with Social Security numbers, addresses, ZIP codes, driver’s license numbers, dates of birth, clinical information such as diagnosis/conditions, lab results, medications or other treatment information, claims information and insurance information. The Hampton-Newport News Community Services Board was unable to confirm if the above data was accessed or stolen in the attack. Credit monitoring and identity restoration services have been offered to the affected individuals.

Marywood Nursing Care Center

Marian Village Corporation, doing business as Marywood Nursing Care Center in Massachusetts, experienced a security breach that involved the protected health information of 6,178 individuals. The breach notification sent to the Massachusetts Attorney General does not state when the breach was detected or when it occurred, only that an unauthorized individual accessed its network and potentially stole files that contained names, claim information, and addresses. No other information was compromised in the attack. The affected individuals have been offered complimentary access to Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no charge. Marywood said it has deployed additional monitoring tools and will continue to review and enhance the security of its systems.

Health Alliance

Health Alliance in Illinois has recently confirmed that the protected health information of 6,900 of its members was exposed in a data breach at a subcontractor of one of its business associates.  Health Alliance Contracted with OnTrak, which used the subcontractor Keenan. On August 27, 2023, Keenan discovered the unauthorized access and disconnected its network to contain the incident. The forensic investigation confirmed that an unauthorized third party had gained access to records containing health plan members’ data. Keenan notified Health Alliance about the breach on December 20, 2023, and provided a list of the affected members on January 10, 2024.

Health Alliance then reviewed and matched the list to the records of its members and notification letters have now been sent. Health Alliance said the following information was compromised in the incident: name, address, member number, date of birth, health coverage information, and, in some cases, Social Security number. Keenan has offered the affected individuals a 24-month membership to the Experian IdentityWorksSM Credit 3B service.

Nabholz Construction

Nabholz Construction, a provider of construction-related services in Arkansas, has been affected by a data breach at Cadence Bank, that exposed the protected health information of 5,326 members of its Corporation Employee Welfare Health Plan. Cadence Bank informed Nabholz on November 29, 2023, that data had been exposed in a cyberattack that exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer solution. Progress Software issued a patch to fix the vulnerability on May 31, 2023; however, Cadence Bank determined that the vulnerability had been exploited between May 28, and May 31, 2023. The data compromised in the attack included names, Social Security numbers, dates of birth, addresses, medical information such as treatment information, provider names, medications, and health insurance information.

J.D. Gilmour & Co., Inc.

J.D. Gilmour & Co., Inc., a Glendale, CA-based insurance agency, discovered unauthorized access to its email environment on June 29, 2023. Third-party cybersecurity experts were engaged and conducted a forensic investigation of its entire email tenant, which confirmed there had been unauthorized access to a single employee email account. The review of the email account determined on October 27, 2023, that the protected health information of 2,481 individuals had been exposed. On December 21, 2023, J.D. Gilmour & Co. obtained the authorization to mail notification letters from the affected client. The affected individuals have been offered Single Bureau Credit Monitoring/Single Bureau Credit Report/Single Bureau Credit Score services at no cost.

United Regional Health Care System

United Regional Health Care System has recently reported a hacking-related data breach to the HHS’ Office for Civil Rights that affected 36,900 patients. There is currently no mention of a data breach on the website of the Wichita Falls, TX-based health system but the breach notification submitted to the Texas Attorney General states the breach occurred on May 30, 2023, and involved names, dates of birth, medical information, and insurance information.

The post February 14, 2024 Healthcare Data Breach Round-Up appeared first on HIPAA Journal.

Azura Vascular Care, a Pennsylvania-based operator of 70 outpatient vascular centers and ambulatory surgery centers in 25 states and Puerto Rico, notified the HHS’ Office for Civil Rights last month about a cybersecurity incident involving the protected health information of 348,000 patients.

The incident was detected on November 9, 2023. Cybersecurity experts were engaged to assist with the investigation, which confirmed that unauthorized individuals accessed certain systems on or before September 27, 2023, and encrypted certain files. On November 15, 2023, it was confirmed that some of the files that were available to the hackers contained patient data such as names, mailing addresses, dates of birth, and other demographic and contact information, including emergency contact information, Social Security numbers, insurance information, diagnosis and treatment information, and other information from medical or billing records.

Some guarantor information was also exposed, including names, mailing addresses, telephone numbers, dates of birth, Social Security Numbers, and email addresses. Azura Vascular Care said individuals who had sensitive information exposed such as Social Security numbers have been offered complimentary identity protection, credit monitoring, and fraud resolution services.

Covenant Care California Assessing Scope of Cyberattack

Covenant Care California, LLC, which operates skilled nursing facilities and home health agencies throughout California and Nevada, has confirmed there has been unauthorized access to files containing the personal and protected health information of patients and other individuals. The cyberattack was detected on November 14, 2023, and while the investigation is ongoing, it has been determined that files were removed from its network between November 12 and November 14.

The incident has affected current and former patients, prospective patient referrals, and responsible parties of patients who received services from a facility or agency operated by Covenant Care, including rehabilitation services provided through a company called AFFIRMA and home health services provided under the names Focus Health, Elevate Home Health, Choice Home Health Care, and San Diego Home Health.

The list of affected individuals has yet to be finalized, but Covenant Care California has confirmed that the incident involved the following information: name, date of birth, medical information, and/or health insurance information, including diagnosis or treatment information and/or claims and billing information. For some individuals, the information may include also Social Security number, financial account or credit/debit card numbers, driver’s license or state/federal identification number, and/or other personal information.

The breach has been reported to the HHS’ Office for Civil Rights with an interim total of 501 individuals, which will be updated when the investigation concludes. Affected individuals are being offered credit monitoring and identity theft restoration services at no cost.

Cooper Aerobics Announces 124K-Record Data Breach

Cooper Aerobics, on behalf of Cooper Clinic, Cooper Medical Imaging, and Cooper Aerobics Enterprises in Texas, has notified 124,341 individuals that some of their protected health information was exposed in a cyberattack in early 2023. It is not clear from the notification letters when the intrusion occurred. After a comprehensive investigation and file review, Cooper Aerobics learned on December 8, 2023, that files containing the personal and protected health information of patients were potentially removed from its network on February 3, 2023.

Patients have been notified that the following information was potentially involved: name, address, phone number, email address, date of birth, credit or debit card number (including expiration date, and financial account and routing number), tax identification number, driver’s license or government identification, passport number, username and password, Social Security number, and health information (including medical record/patient account number, prescription information, medical provider, and medical procedures), and health insurance information.

Cooper Aerobics started notifying the affected individuals on January 5, 2024 and said it continually evaluates and modifies its practices and internal controls to protect against unauthorized access and will continue to do so.

6,000 Individuals Impacted by Ransomware Attack on Colorado Ophthalmology Associates

Colorado Ophthalmology Associates (COA) has recently disclosed a ransomware attack that was discovered on November 14, 2023. Data exfiltration is common in ransomware attacks, but no evidence of data theft was identified during the forensic investigation. COA said that the attack involved automated encryption and resulted in the loss of electronic medical record files for patient visits or exams conducted between April 10, 2023, and November 14, 2023.

The forensic investigation confirmed that the intrusion began as early as October 4, 2023, and ended on November 14, 2023. The types of information exposed in the attack were limited to names, addresses, dates of birth, phone numbers, email addresses, Social Security numbers, insurance information, dates of service, types of services, diagnoses, conditions, prescriptions, test results, medications, and other treatment information. The incident has been reported to the HHS’ Office for Civil Rights as affecting up to 6,020 individuals.

The post Azura Vascular Care Reports Data Breach Affecting 348,000 Patients appeared first on HIPAA Journal.

Approximately 462,000 individuals who enrolled in health plans through the Hawaii Medical Service Association (HMSA) have been affected by a data breach at the St. Louis, MO-based business services provider Navvis & Company. Navvis & Company detected unauthorized activity within its systems on July 25, 2023, and the forensic investigation confirmed that an unauthorized third party had access to its systems between July 12, 2023, and July 25, 2023, and exfiltrated sensitive information.

Navvis & Company mailed notification letters to the affected health plan enrollees last month. The information exposed in the incident included names, dates of birth, health plan information, medical treatment information, medical record numbers, patient account numbers, case identification numbers, provider and doctor information, and health record information. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Navvis & Company reported the breach to OCR as affecting 917 individuals, with the affected clients mostly choosing to report the breach themselves. As such the total number of individuals affected is not known. Other affected clients included SSM Health.

Atlanta Women’s Health Group Notifies 30,000 Patients About April 2023 Cyberattack

Atlanta Women’s Health Group has notified approximately 30,000 patients that their protected health information was stolen in a cyberattack that was detected on April 12, 2023. Third-party cybersecurity experts were engaged to investigate the extent of the breach and an extensive data mining exercise was conducted to determine the individuals affected and the types of data involved.

Atlanta Women’s Health Group said for the majority of patients, the exposed data was limited to names, dates of birth, patient ID numbers, and other information that may be contained in medical records. It was not possible to tell which specific types of information were accessed or acquired. The review was time-intensive, hence the delay in issuing notification letters. Following the attack, Atlanta Women’s Health Group worked with outside security consultants to implement additional cybersecurity measures to prevent further attacks. While data theft occurred, Atlanta Women’s Health Group said it is unaware of any misuse of patient data.

Coastal Hospice & Palliative Care Confirmed PHI Exposure in July Cyberattack

Coastal Hospice & Palliative Care in Salisbury, MD, has confirmed that the protected health information of 29,100 individuals was potentially compromised in a July 2023 cyberattack. The attack was detected on July 24, 2023, when its network was disrupted. Cybersecurity experts were engaged to investigate the incident and assist with the recovery process.

The review of the files on the affected part of the network was completed on November 20, 2023, and confirmed that the following information had been exposed and was potentially obtained by the attackers: name, Social Security number, date of birth, medical diagnosis information, individual health insurance policy number, physician or medical facility information, medical condition or treatment information and patient account number. Coastal Hospice & Palliative Care said the incident was reported to the Federal Bureau of Investigation and steps have been taken to improve security to prevent similar incidents in the future.

The post 462,000 Hawaiians Affected by Data Breach at Navvis & Company appeared first on HIPAA Journal.

Des Moines Orthopaedic Surgeons (DMOS) in Iowa has recently notified 307,864 current and former patients that some of their protected health information (PHI) was exposed in a cyberattack almost a year ago. DMOS explained that the incident occurred on or around February 17, 2023, and allowed an unauthorized third party to access and/or remove files containing the PHI of DMOS patients. DMOS said the breach was due to the failure of one of its vendors.

DMOS said it immediately contained the threat and engaged third-party cybersecurity experts to investigate the incident to determine the extent of compromise. According to the notification letters, “DMOS devoted considerable time and effort to assessing the extent and scope of the incident and to determine what information may have been accessible to the unauthorized users.” It took 10 months to determine that patient data was present in the documents and records involved, with PHI exposure not confirmed until December 6, 2023.

The types of data involved included names along with one or more of the following: Social Security number, date of birth, driver’s license numbers, state identification numbers, passports, direct deposit bank information, medical information, and health insurance information. Notification letters were mailed on January 22, 2024, and individuals whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Michigan Orthopaedic Surgeons Email Account Breach Affects 67,000 Patients

Michigan Orthopaedic Surgeons has recently notified 67,477 patients that some of their PHI was present in an email account that was accessed by unauthorized individuals. Suspicious activity was detected in the email account on or around June 29, 2023. A third-party forensic security company was engaged to investigate the incident and confirmed the email account had been accessed by an unauthorized individual between May 5, 2023, and June 21, 2023.

A comprehensive review of the account was initiated, and it was determined on October 20, 2023, that protected health information was present in the account. The types of information varied from individual to individual and may have included names in combination with one or more of the following: date of birth, Social Security number, financial account number, username and password, health insurance information, and medical information, such as diagnosis, lab results, and prescription information. Individual notifications were mailed on December 19, 2023, and complimentary credit monitoring services have been provided to the individuals who had their Social Security numbers exposed.

Prestige Care Suffers Ransomware Attack

Prestige Care, Inc., a Vancouver, WA-based senior care organization, has recently notified 38,087 individuals that some of their personal and protected health information was potentially accessed or acquired in a September 2023 ransomware attack. The attack was detected on September 7, 2023, with the investigation determining that malware had been installed that prevented access to certain files on its system. The investigation confirmed that the threat actor had access to files containing personal and health information on September 7.

The file review confirmed on December 18, 2023, that those files included names and Social Security numbers. Notification letters started to be sent to the affected individuals on January 31, 2024. Complimentary credit monitoring services have been offered for 12 months.

Bay Area Heart Center Impacted by Phishing Attack on Business Associate

Bay Area Heart Center in St. Petersburg, FL has confirmed that patient data was exposed in a cyberattack at the law firm Bowden Barlow Law, P.A., which Bay Area Heart Center uses for collections. An employee at the law firm responded to a phishing email, which provided the attacker with access to one of the law firm’s servers between November 17, 2023, and December 1, 2023. Bay Area Heart Center was notified about the breach on December 27, 2023.

The investigation found no evidence to suggest data had been downloaded, but data theft could not be ruled out. The exposed data included names, addresses, full and partial Social Security Numbers, dates of service, limited claims data, and insurance policy numbers. “Bay Area Heart Center takes this matter extremely seriously and is equally frustrated that its patient files were compromised by a third-party vendor,” explained the healthcare provider in its breach notice. “Given the potential impact this breach could have on patients, and in furtherance of its commitment to safety and security, the medical practice is currently reevaluating its partnership with Bowden Barlow Law.” Bay Area Heart Center said it has offered the affected individuals a one-year membership to a credit monitoring service.

Northern Light Health Says Patient Data Not Compromised in Cyberattack

On February 4, 2024, Northern Light Health in Brewer, ME, announced that it was forced to take its patient records system offline on February 3, 2024, after discovering certain computers had been compromised in a cyberattack.  Northern Light Health explained that none of the affected computers stored any patient data, and that the patient record system was taken offline while the incident was investigated. Northern Light Health said no third party has made contact demanding a ransom and the decision to take patient records offline was taken out of an abundance of caution. Downtime procedures were initiated immediately, and patient care was not disrupted.

Daily updates were provided on its website and on February 5, 2024, Northern Light Health said its medical record system was back online. The incident is still being investigated and there are still no indications that patient data was exposed.

The post Des Moines Orthopaedic Surgeons Notifies Patients About February 2023 Data Breach appeared first on HIPAA Journal.