May 31, 2024 Since February, the Change Healthcare ransomware attack has dominated headlines in the medical industry, cited as likely the most significant breach ever in the U.S. health system. To quickly recap, a group of malicious hackers infiltrated Change Healthcare’s systems in February. The hackers had access to the system for nine days before infecting systems with ransomware on the 21st. When it was realized Change Healthcare’s systems were compromised, its systems were immediately disconnected to mitigate risks. This attack not only jeopardized patients’ Protected Health Information (PHI) but also caused detrimental impact on the healthcare industry at large. Change Healthcare processes 15 billion healthcare transactions annually. With these systems down, healthcare providers continue to struggle with basic processes, like filling prescriptions and getting paid through insurance claims. The latest update on the Change Healthcare breach has reached Capitol Hill. Andrew Witty, CEO of UnitedHealth Group, the parent company of Change Healthcare, testified at two congressional hearings on May 1st. At these hearings, the cause of the breach was acknowledged: a lack of multi-factor authentication prompts when logging into internal systems. Additionally, while Witty confirmed that the exact scope of impacted patients is unknown, it is expected to be very severe. One-third of Americans could be affected by this cyberattack. Although Change Healthcare’s lack of security protocols caused the catastrophic breach, it is still your practice’s responsibility to notify impacted patients. What You Need to Do The Office for Civil Rights (OCR) is still investigating the magnitude of this cyberattack, but guidance has been released. First, Change Healthcare is notifying stakeholders impacted by the breach. This includes Covered Entities and Business Associates. Business Associates must notify Covered Entities if their business is affected, and the responsibility to inform patients ultimately falls on Covered Entities. The Breach Notification Rule under HIPAA details what information needs to be shared with patients, including suspected dates the data was breached, what PHI was involved, and the next steps. Once it’s known that this breach impacted your patients, it’s vital to notify affected individuals without unreasonable delay and to inform the HHS. The media must also be notified if five hundred or more patients were affected. After this significant cyber attack, reviewing your risks and vulnerabilities is crucial. If a vast organization processing up to $2 trillion in medical claims annually can be hacked, so can your practice. Ensure standard security protocols, like multi-factor authentication, are in place to mitigate the risk of breaches. When it comes to your HIPAA compliance programs, securing your data is critical. For example, Abyde’s cloud-based software features an intuitive Security Risk Analysis (SRA) and ongoing compliance review to quickly identify and address risks to keep your practice’s sensitive data safe. As this breach is still under investigation, Abyde will keep Covered Entities and Business Associates up-to-date on the latest developments. Visit the HHS FAQ page on the Change Healthcare breach here. To learn more about software solutions to ensure protected compliance for your practice, schedule an educational consultation here with a compliance expert.
UnitedHealth Group in the Hot Seat: All Eyes on the Change Healthcare Breach
May 1, 2024 Over the last several months, your friends at Abyde have kept you updated on the latest in the Change Healthcare Breach. Since February 21st, this breach has held the healthcare industry captive, likely the most significant healthcare data breach in the United States ever. Change Healthcare, nestled under the UnitedHealth Group umbrella, processes about 50% of U.S. medical claims, is still picking up the pieces. If you work in healthcare, you feel the sting of the attack. Almost all hospitals reported financial damages because of the attack. So, how did we get here? You’re getting answers, as CEO of UnitedHealth Group, Andrew Witty, is set to testify in front of two congressional panels today. Don’t worry, we’re not going in blind! While Witty might be on center stage today, a written testimony has already been released. Stay tuned because we’re decoding this testimony and answering your burning questions. Pack your bags! We’re taking a quick trip to the Capitol! Party Crashers This compliance catastrophe began on February 21st, with the BlackCat hacking group infecting Change Healthcare’s systems with ransomware. However, the team of malicious hackers had been plotting for over a week, being in Change Healthcare’s systems for nine days before the attack. How did they get in? It wasn’t a Mission Impossible stunt, avoiding lasers and jumping between buildings, but a simple case of compromised credentials. Using a stolen login, the black-hat hackers could log into a Change Healthcare application portal and remotely access desktops. This portal didn’t have a standard security protocol: multi-factor authentication. Multi-factor authentication (MFA), like a code sent to your phone before logging in, is a typical security standard for protecting sensitive data. Implementing technical safeguards, like MFA, falls under the HIPAA Security Rule. Mopping up the Mess While Change Healthcare is no stranger to hacking attempts – thwarting 450,000 intrusions a year – once the ransomware was identified, Change Healthcare sprung into action. According to Witty, the Change Healthcare team immediately severed connectivity with the data centers to avoid the spread of ransom. Change Healthcare started from the bottom up, rebuilding the foundation of its technology infrastructure, replacing thousands of laptops, implementing new credentials, and new servers with the help of Tech powerhouses like Amazon and Google. As of today, the ransomware only impacted Change Healthcare and none of UnitedHealth Group’s other organizations. Witty also admitted to meeting ransom demands, saying it was one of the toughest decisions he’s ever had to make. What’s Next? These uninvited party crashers have put the UnitedHealth Group in hot water. These congressional hearings are just the tip of the iceberg for the medical titan. Here at Abyde, we’re keeping a close eye on things, and you can bet we’ll keep you in the loop through our blogs and social media on the latest in these hearings. Want to stay on top of all things compliance? Follow us and watch for our This Week in Compliance series – it’s your one-stop shop for compliance info!
Change Healthcare Breach: What We Know Now
March 14, 2024 BREAKING NEWS! Your friends at Abyde are right back at you with an update on the Change Healthcare breach. Check out our first blog post on the breach here! Now, to quickly bring you up to speed, Change Healthcare, a division of United Healthcare, was impacted by a ransomware attack. This ransomware attack is like nothing we’ve ever seen, and being called the most significant attack on our healthcare system of all time. This ransomware attack was disastrous, taking Change Healthcare systems offline, and making it impossible for healthcare providers to check for insurance eligibility, see new patients, properly process prescriptions correctly, and much more. Now, it’s been several weeks since the initial attack, and we have the latest scoop for you. What’s going on now? Well, now here comes the fallout. While some of the systems have been able to get back online, like pharmacy functions, Change Healthcare is still not 100%. This has been detrimental to healthcare providers, and is costing them $100 million a day! Now, I know that’s gotta hurt. Now, the lawsuits are starting to roll in. Now, multiple class action lawsuits have been filed against Change Healthcare/United Healthcare due to its inadequate security systems and how it’s been handled. Unfortunately, in this attack, it’s highly likely Protected Health Information (PHI) is in the hands of criminals. In this ransomware attack, over six TB of stolen data was encrypted by the deceptive hackers. So, these lawsuits are just getting started. The government is also involved in this breach, investigating the causes and effects of the ransomware attack. The FBI has run into this group of hackers before and has taken some of their servers offline, causing many to think this attack was of vengeance. The Department of Health and Human Services also came together to discuss and address the impact of the cyber attack for more to come. As of yesterday, March 13, the Office of Civil Rights also released a statement of beginning their investigation of the attack. It’s safe to say this is far from over, and it’s been a tough month for United Healthcare. What should I do? To keep up with the news, we recommend you follow our news page, where we release the newest updates in compliance news and the best tips for your practice or business. To keep up with the Change Healthcare system updates, you can follow this page here. To keep your practice or business safe, and avoid this hot water that United Healthcare found itself in, it is essential for you to proactively protect your organization. This includes working with an IT company, employing firewalls, encryption, and of course, having compliance software like Abyde. Abyde is your one-stop shop when it comes to compliance management, allowing you to evaluate your risks and address them before it’s too late. Need documentation in order? Yeah, all in the software. Oh and – let me stop you right there, yes, we also dynamically generate our personalized policies and procedures, so don’t worry about writing them. And if you experience a breach? We’re here for you. We have an awesome team of compliance experts here to help you navigate any situation, so you’re not alone. Want to learn more about compliance? Reach out to us at info@abyde.com and schedule a compliance consultation here for Covered Entities, and here for Business Associates!
Change Healthcare Breach: A Long Road Ahead
April 26, 2024 It’s Friday! It’s time to unwind and not think about work for a few days… except for the Change Healthcare breach, that party’s not over. Let’s get you caught up. As we’ve kept you updated with the latest updates in the Change Healthcare Breach on the blog and our social media with our This Week in Compliance (TWIC) series, there have been some significant updates in this compliance catastrophe. Accompanied by our This Week in Compliance (TWIC) video, let’s dive into the latest on Change Healthcare breach. Double Trouble Sometimes, two isn’t better than one. Change Healthcare received a double scoop of trouble, and, unlike a sundae with delicious hot fudge, this came with two servings of ransom demands! Change Healthcare is no stranger to ransom demands, paying $22 million in Bitcoin to the BlackCat hacking group. This is just the beginning of the story. Another hacking group, RansomHub, announced they had several terabytes of Protected Health Information (PHI). For some perspective, here’s a simple explanation. A terabyte contains over 5 million document pages! Think about how many patients a leak of that information could impact! At first, there was skepticism about whether these RansomHub bullies truly had access to the information, bluffing for a ransom payment. Unfortunately, RansomHub does have this PHI, sharing over 20 victims’ health information to prove a point. While we don’t know how much it is, we’re willing to bet it’s much more than an Abyde subscription. Pretty Penny for PHI This breach is costing the UnitedHealth Group over a billion dollars! These costs impact not only the medical giant but all of the practices and hospitals that rely on the organization to process prescriptions. According to the American Hospital Association, 94% of all hospitals report financial impact, with 33% costing the hospitals more than half of their revenue! In addition to the monetary costs of the attack, the UnitedHealth group has to repair its shattered reputation. The UnitedHealth Group is currently caught in the crosshairs of national-level legal proceedings, with Congress beginning hearings on the attack. Shockingly, UnitedHealth Group was not in attendance, but the CEO, Andrew Witty, is due for an appearance at the beginning of May. What’s next? This breach is a serious reminder that no matter how big, or small, your practice is, data breaches can happen to anyone. It’s important to stay proactive and address your vulnerabilities to protect PHI. As we continue to discover the extent of the attack, even if your practice didn’t cause the breach, Covered Entities must notify affected patients according to the Breach Notification Rule. For our Abyde users, check out the What’s New section for guidance on notifying your patients. The HHS also has a FAQ section on its website regarding the breach. To learn more about how to keep your practice safe, schedule a consultation with a compliance expert here.