122 views 38 secs 0 comments

HHS Office for Civil Rights Issues Letter and Opens Investigation of Change Healthcare Cyberattack

Today, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing the cybersecurity incident impacting Change Healthcare, a unit of UnitedHealthcare Group (UHG), and many other health care entities. The cyberattack is disrupting health care and billing information operations nationwide and poses a direct threat to critically needed patient care and essential operations of the health care industry.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities (most health care providers, health plans, and health care clearinghouses) and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.

Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022.

Read the Letter – PDF

Source: U.S. Department of Health and Human Services, March 13, 2024