Change Healthcare Responding to Cyberattack
Healthcare billing and data systems provider, Change Healthcare based in Nashville, TN has reported that it encountered a cyberattack that has resulted in system disruption. The attack was discovered on February 21, 2024, and fast action was taken to contain the incident and stop even more impacts.
The Change Healthcare attack has prompted organization-wide connectivity challenges and cybersecurity professionals are working night and day to mitigate the attack and bring back the impacted systems.
UnitedHealth Group manages Change Healthcare and the healthcare company Optum. Change Healthcare provides prescription processing solutions via Optum which delivers services to around 67,000 U.S. pharmacies and has 129 million patients. Change Healthcare has over 15 billion healthcare transactions annually and claims that 1/3 of patient documents in the U.S. are handled by its clinical connectivity tools. Change Healthcare is employed by Tricare, the medical care company of the U.S. military, as well as all military services pharmacies, clinics, and hospitals that were affected by the interruption prompted by the Change Healthcare cyberattack, and retail pharmacies across the country are suffering from delays processing medications and were not able to send requests via insurance protection.
In a regulatory submission with the U.S. Securities and Exchange Commission (SEC), UnitedHealth affirmed that Change Healthcare had suffered a cyberattack that impacted lots of systems. At this period of the incident response, it is too soon to say if any patient information was exposed or stolen during the attack. Neither Change Healthcare Nor UnitedHealth could present a time frame regarding the re-establishment of systems online.
UnitedHealth stated in its SEC filing that it thinks the cyberattack was executed by a nation-state, and not just a cybercriminal gang, yet didn’t present more details on that thought. That statement is worrisome, considering the latest news about China having access to critical infrastructure organizations in the U.S. along with the new sanctions that will be enforced on Russia in reply to the passing away of Alexei Navalny.
There are additional worries that the cyber attack may expand to the pharmacies related to the Optum system. The American Hospital Association (AHA) has given a notice to all members that they must straight away detach from the Optum system as a preventative measure. All healthcare providers that were impacted or are possibly exposed to this attack are instructed to disconnect from Optum until it is considered safe to reconnect to Optum. AHA currently uses manual procedures.
What is HIPAA and does this Cyberattack Violate the Regulation?
All healthcare companies that perform electronic transactions including protected health information (PHI) have to adhere to the Health Insurance Portability and Accountability Act (HIPAA), which establishes minimum benchmarks for privacy and protection. The HIPAA Privacy Law discourages disclosures of PHI to unauthorized people. The HIPAA Security Law demands safety measures to be put in place to keep the integrity, availability, and confidentiality of electronic protected health information (ePHI).
In case an unauthorized person gets access to systems made up of PHI, it is categorized as an impermissible disclosure of PHI and is a reportable HIPAA breach. When a cyberattack results in acquiring access to PHI, it is not automatically a HIPAA violation. The HIPAA Security Regulation necessitates the identification of risks and vulnerabilities, handling those risks and minimizing them to a reasonable and suitable level. The HIPAA Security Law doesn’t call for the removal of risks and vulnerabilities completely.
The number one priority after the discovery of unauthorized system activity ought to be to control the incident and make certain that the threat actor is removed from internal systems. Systems should be securely restored on the web and the nature and extent of the incident confirmed by a forensic analysis. When it is established that patient records were compromised, the breach report is submitted to the Department of Health and Human Services (HHS) and the affected persons should be sent individual notifications within 60 days of learning about a data breach. The HHS investigates all data breaches with above 500 records to find out if they were caused by an inability to follow the HIPAA Regulations and financial penalties could be charged for non-compliance.
50,000-Record Security Breach Reported by Greater Cincinnati Behavioral Health Services
On December 10, 2023, Greater Cincinnati Behavioral Health Services (GCBHS) encountered a cyberattack. The incident brought about network interruption and stopped access to certain parts of its IT network. Speedy action was undertaken to restrict the incident. Third-party cybersecurity specialists investigated the attack and helped with the breach resolution.
GCBHS mentioned the forensic investigation is in progress however proof was discovered that signifies an unauthorized third party viewed records comprising patient data. The files are still being analyzed and notices will be given when that procedure is accomplished. GCBHS mentioned the breached data involves names, demographic data, Social Security numbers, driver’s license numbers, birth dates, and health details. GCBHS stated it has carried out added security measures and will be providing the impacted persons free credit monitoring and identity theft protection services. The breach report was sent to the HHS’ Office for Civil Rights indicating that around 50,000 patients were affected.
Cyberattack on Business Associate Affects Bay Area Heart Center
Bay Area Heart Center based in Florida is affected by a cyberattack and data breach that happened at Bowden Barlow Law. Bowden Barlow Law serves as a business associate, who offers debt recovery assistance to Bay Area Heart Center. The law agency performed a forensic investigation which established that the PHI of 11,709 Bay Area Heart Center patients was affected in the cyberattack. The affected information was confined to names, dates of service, addresses, complete and partial Social Security Numbers, minimal claims details, and insurance policy numbers. Bowden Barlow Law improved its cybersecurity and is giving the impacted people free credit monitoring services for one year.