Change Healthcare Breach: What You Need to Do

May 31, 2024

Since February, the Change Healthcare ransomware attack has dominated headlines in the medical industry, cited as likely the most significant breach ever in the U.S. health system

To quickly recap, a group of malicious hackers infiltrated Change Healthcare’s systems in February. The hackers had access to the system for nine days before infecting systems with ransomware on the 21st. When it was realized Change Healthcare’s systems were compromised, its systems were immediately disconnected to mitigate risks. 

This attack not only jeopardized patients’ Protected Health Information (PHI) but also caused detrimental impact on the healthcare industry at large. Change Healthcare processes 15 billion healthcare transactions annually. With these systems down, healthcare providers continue to struggle with basic processes, like filling prescriptions and getting paid through insurance claims. 

The latest update on the Change Healthcare breach has reached Capitol Hill. Andrew Witty, CEO of UnitedHealth Group, the parent company of Change Healthcare, testified at two congressional hearings on May 1st. At these hearings, the cause of the breach was acknowledged: a lack of multi-factor authentication prompts when logging into internal systems. 

Additionally, while Witty confirmed that the exact scope of impacted patients is unknown, it is expected to be very severe. One-third of Americans could be affected by this cyberattack. 

Although Change Healthcare’s lack of security protocols caused the catastrophic breach, it is still your practice’s responsibility to notify impacted patients.

What You Need to Do

The Office for Civil Rights (OCR) is still investigating the magnitude of this cyberattack, but guidance has been released. 

First, Change Healthcare is notifying stakeholders impacted by the breach. This includes Covered Entities and Business Associates. Business Associates must notify Covered Entities if their business is affected, and the responsibility to inform patients ultimately falls on Covered Entities. 

The Breach Notification Rule under HIPAA details what information needs to be shared with patients, including suspected dates the data was breached, what PHI was involved, and the next steps. 

Once it’s known that this breach impacted your patients, it’s vital to notify affected individuals without unreasonable delay and to inform the HHS. The media must also be notified if five hundred or more patients were affected. 

After this significant cyber attack, reviewing your risks and vulnerabilities is crucial. If a vast organization processing up to $2 trillion in medical claims annually can be hacked, so can your practice. 

Ensure standard security protocols, like multi-factor authentication, are in place to mitigate the risk of breaches. When it comes to your HIPAA compliance programs, securing your data is critical. For example, Abyde’s cloud-based software features an intuitive Security Risk Analysis (SRA) and ongoing compliance review to quickly identify and address risks to keep your practice’s sensitive data safe. 

As this breach is still under investigation, Abyde will keep Covered Entities and Business Associates up-to-date on the latest developments. 

Visit the HHS FAQ page on the Change Healthcare breach here. To learn more about software solutions to ensure protected compliance for your practice, schedule an educational consultation here with a compliance expert.