Feds Issue Guide for Change Health Breach Reporting Duties
Breach Notification , Healthcare , HIPAA/HITECH
HHS OCR Says the Company Has Not Yet Filed HIPAA Breach Reports to the Agency
The Department of Health and Human Services has not yet received HIPAA breach reports from Change Healthcare or parent company UnitedHealth Group about their massive cyberattack. HHS is telling HIPAA-covered firms and their vendors to do their duty if a breach affects protected health information.
See Also: Take Inventory of Your Medical Device Security Risks
HHS’ Office for Civil Rights in new “frequently asked questions” guidance issued Friday night said it has not yet received breach reports from Change Healthcare, UHG or any other affected covered entities pertaining to the incident.
“Covered entities have up to 60 calendar days from the date of discovery of a breach of unsecured protected health information to file breach reports to OCR’s breach portal for breaches affecting 500 or more individuals,” HHS OCR said.
In general, once HHS OCR receives a HIPAA breach report for such an incident, the agency verifies the report with the covered entity. It can then take up to 14 days before the report is posted on the public-facing HIPAA Breach Reporting Tool website, HHS OCR said.
Covered entities affected by the Change Healthcare attack also are required to file breach reports to HHS and notifications to affected individuals “without unreasonable delay,” HHS said. Business associates affected by the incident also must notify affected covered entities after the discovery of the breach.
But the details of this notification event depend on a variety of factors, including when Change Healthcare actually notifies affected covered entities of a breach to their PHI and the extent of notification duties Change Healthcare and UHG are willing to handle on behalf of affected organizations.
“HIPAA-regulated entities affected by this incident should contact Change Healthcare and UHG with any questions on how HIPAA breach notification will occur,” HHS OCR said in the guidance.
Last week, UHG in its statement about the data compromise said it “will be offering to do the notification work for customers where permitted.”
But the extent of what UHG will be handling in terms of notification has not been made clear yet, said regulatory attorney Sara Goldstein of the law firm BakerHostetler.
“That could mean many different things. It could mean that they’re just going to give you a template notification letter and you can send it to whoever you think should be notified of this incident, or it could be more robust,” she said.
“Or, it could be in line with what typically happens when there is a breach involved at a vendor, where a vendor might notify by mail individuals, regulators, posting notices on their website, etc. So that’s to be determined”.
The 60-day regulatory countdown for when Change Healthcare and UHG need to report a PHI breach to HHS OCR and notify affected covered entities and individuals is unclear, Goldstein said.
UHG has said the company discovered on Feb. 21 that a threat actor had gained access to one of Change Healthcare’s environments.
Then, on April 15, UHG on an FAQ section on its public website confirmed that “personal health information and personally identifiable information” had been affected by the incident and that the company was working with forensics experts to determine the extent of the compromise (see: Company Says Change Healthcare Hackers Stole Sensitive Data).
The low-key admission from the company came as cybercriminal group RansomHub last week reportedly posted UnitedHealth Group data for sale on its dark web site and displayed several screenshots supposedly showing samples of 4 terabytes of data that an affiliate of another ransomware group – BlackCat/Alphv – claimed to have exfiltrated in the attack (see: Second Gang Shakes Down UnitedHealth Group for Ransom).
Earlier Access?
Hackers gained access to Change Healthcare’s network on Feb. 12, about nine days before they launched a ransomware attack, according to reporting on Monday by The Wall Street Journal. The attackers gained entry through compromised credentials on an application that allows staff to remotely access systems, a source close to the investigation told the Journal.
UHG so far has not explicitly called the compromised information “protected health information” in its public statements, and that makes it unclear when HIPAA breach reporting and notification duties kick in for Change Healthcare and UHG, Goldstein said.
“A breach is determined to be discovered by the covered entity on the first day that they knew about the breach. So, that usually happens when you experience a ransomware attack,” she said.
HHS OCR in its guidance underscored that the agency’s 2016 guidance on ransomware breaches is indeed relevant in the Change Healthcare attack.
“A breach, under the HIPAA Rules, is defined as, ‘the acquisition, access, use or disclosure of PHI in a manner not permitted under the HIPAA Privacy Rule,” the guidance says. “Whether the presence of ransomware would be a breach under the HIPAA Rules is a fact-specific determination.”
HHS OCR on March 13 publicly announced it had launched an investigation into the Change Healthcare attack “given the unprecedented magnitude of this cyberattack, its widespread impact on patients and healthcare providers nationwide, and in the interest of patients and healthcare providers.”
The agency said its investigation of Change Healthcare and UHG focuses on whether a PHI breach occurred and on the entities’ compliance with the HIPAA rules “because of the cyberattack’s unprecedented impact on patient care and privacy.”
OCR in its guidance reiterated that its interest in other organizations that partnered with Change Healthcare and UHG is secondary. “This would include those covered entities that have business associate relationships with Change Healthcare and UHG, and those organizations that are business associates to Change Healthcare and UHG.
“However, OCR reminded all of these entities of their HIPAA obligations to have business associate agreements in place and to ensure that timely breach notification to the HHS and affected individuals occurs,” the agency said.