The U.S. Department of Health and Human Services (HHS) has stepped in to ensure patients are made aware if their sensitive data was compromised during February's massive cyberattack on health IT firm Change Healthcare.
In a ruling issued on May 31, 2024, HHS stated that hospitals and health systems impacted by the Change Healthcare data breach must now require the insurance giant UnitedHealth Group to directly notify affected individuals about potential exposure of their personal and medical information.
The unprecedented directive stems from Change Healthcare's business acquisition by UnitedHealth in 2022. As the new owner, UnitedHealth assumed responsibility for addressing the incident's fallout, including legally-mandated breach notifications.
"Patients have a right to know if their private health data may have been compromised," said HHS Secretary Xavier Becerra. "We're using our regulatory authority to ensure transparency and protect individual privacy rights."
The Change Healthcare attack, which occurred on February 22, 2024, involved a highly-sophisticated cybercriminal group deploying malicious encryption malware on portions of the company's systems, including databases storing patient data.
While no specific individuals have been publicly identified as impacted, the scope of the breach raised alarms. Change Healthcare provides revenue cycle management and data solutions utilized by thousands of healthcare providers across the United States.
"Patient safety is directly impacted by cybersecurity hygiene. A cyberattack can render lifesaving medical devices inoperable, put medical records beyond the reach of clinicians, and the identity theft associated with a data breach can prolong the misery for patients," said Esmond Kane, CISO at Steward Health Care. "Healthcare leaders must work to improve patient safety and cybersecurity. That work must occur in concert with our colleagues in the government including HHS and CISA, and industry efforts led by AEHIS, AHA, JCHO, H-ISAC, and others."
HHS determined that many providers delegated breach notification responsibilities to Change Healthcare itself following the incident. However, the company's absorption into UnitedHealth created confusion and delays around which entity would notify potentially impacted parties as required by HIPAA regulations.
"This is an interesting change for breach notification. Normally, the provider—a hospital, clinic, or physician—would provide breach notices to their patients, even when the breach is caused by a third party," said Justin Armstrong, vCISO and Founder, Armstrong Risk Management, LLC. "This is logical since the patients may not have heard of the third party before, and it would be confusing hearing about it from them and not their care provider. In a case like this, where the entity is large and well known—and the breach notification is complex—this decision to have UnitedHealth inform patients makes good sense."
Under HHS's new mandate, UnitedHealth must now definitively inform all individuals whose data was present in the compromised Change Healthcare IT environment, even if it's uncertain whether their specific records were actually accessed.
The ruling is the federal government's firmest stance yet on the data breach, which raised concerns from patient privacy advocates and members of Congress about potential violations of consumer data protections.
[RELATED: Hospitals Seek Federal Help as Change Healthcare Ransomware Attack Disrupts Payments]
UnitedHealth has yet to indicate what volume of notifications may be required, but it signaled willingness to cooperate with regulators to ensure compliance. Privacy experts say the case could set an important precedent around data breach accountability for organizations in acquisition scenarios.
As large-scale healthcare cyberattacks multiply, the HHS action reflects an emphasis on empowering patients with transparency around incidents that could compromise their most sensitive information.
[RELATED: See the list of the 115+ healthcare cybersecurity companies to know from Becker's Hospital Review.]