Change Healthcare reported its progress regarding its analysis of the files stolen during the February ransomware attack. To date, healthcare companies, insurance companies, and other organizations impacted have been advised. Over 90% of the impacted files had been reviewed though Change Healthcare has not yet confirmed specifically what information had been compromised for each impacted covered entity. The breached data may include names, birth dates, addresses, diagnostic images, payment data, passport numbers, Social Security numbers, state ID numbers, and medical insurance data. Medical graphs and medical backgrounds were unlikely to have been compromised.
Under the HIPAA Breach Notification Rule, covered entities need to issue breach notifications without unnecessary delay and within 60 days of discovering a data breach. In case a data breach takes place at a business associate, HIPAA covered entities can issue breach notification letters within 60 days of receiving the breach notification from the business associate. They can ask the business associate to send the notifications on their behalf, but they bear the responsibility of making sure that notifications are issued.
OCR has announced that Change Healthcare could issue notification letters on behalf of the covered entities impacted by the ransomware attack. United Healthcare Group also announced to the public that it will assist the impacted covered entities with their management and breach notification requirements. Every impacted covered entity should collaborate with Change Healthcare concerning the issuance of breach notification letters.
Change Healthcare stated it hopes to finish mailing the breach notification letters in late July for all impacted covered entities that have outsourced to Change Healthcare the sending of their notifications, even if updated contact details may not be available for all of the people. The breach investigation and file evaluation is in progress, and Change Healthcare stated it may identify more people who were impacted as the investigation moves along.
The June 20, 2024 media notice and substitute notification are in line with the current communication provided by Change Healthcare regarding the cyberattack. Although the data analysis is in its final stages, credit monitoring, and identity theft protection will still be offered to people worried about the potential effect on their data.
