April 26, 2024
It’s Friday! It’s time to unwind and not think about work for a few days… except for the Change Healthcare breach, that party’s not over. Let’s get you caught up.
As we’ve kept you updated with the latest updates in the Change Healthcare Breach on the blog and our social media with our This Week in Compliance (TWIC) series, there have been some significant updates in this compliance catastrophe.
Accompanied by our This Week in Compliance (TWIC) video, let’s dive into the latest on Change Healthcare breach.
Double Trouble
Sometimes, two isn’t better than one. Change Healthcare received a double scoop of trouble, and, unlike a sundae with delicious hot fudge, this came with two servings of ransom demands!
Change Healthcare is no stranger to ransom demands, paying $22 million in Bitcoin to the BlackCat hacking group.
This is just the beginning of the story.
Another hacking group, RansomHub, announced they had several terabytes of Protected Health Information (PHI).
For some perspective, here’s a simple explanation. A terabyte contains over 5 million document pages! Think about how many patients a leak of that information could impact!
At first, there was skepticism about whether these RansomHub bullies truly had access to the information, bluffing for a ransom payment. Unfortunately, RansomHub does have this PHI, sharing over 20 victims’ health information to prove a point.
While we don’t know how much it is, we’re willing to bet it’s much more than an Abyde subscription.
Pretty Penny for PHI
This breach is costing the UnitedHealth Group over a billion dollars!
These costs impact not only the medical giant but all of the practices and hospitals that rely on the organization to process prescriptions. According to the American Hospital Association, 94% of all hospitals report financial impact, with 33% costing the hospitals more than half of their revenue!
In addition to the monetary costs of the attack, the UnitedHealth group has to repair its shattered reputation.
The UnitedHealth Group is currently caught in the crosshairs of national-level legal proceedings, with Congress beginning hearings on the attack. Shockingly, UnitedHealth Group was not in attendance, but the CEO, Andrew Witty, is due for an appearance at the beginning of May.
What’s next?
This breach is a serious reminder that no matter how big, or small, your practice is, data breaches can happen to anyone. It’s important to stay proactive and address your vulnerabilities to protect PHI.
As we continue to discover the extent of the attack, even if your practice didn’t cause the breach, Covered Entities must notify affected patients according to the Breach Notification Rule.
For our Abyde users, check out the What’s New section for guidance on notifying your patients. The HHS also has a FAQ section on its website regarding the breach.
To learn more about how to keep your practice safe, schedule a consultation with a compliance expert here.