We often speak on this blog about protecting your organization from data breaches and cyber-attacks. The emphasis on personal health information (PHI) and HIPAA is especially prevalent when it comes to necessary compliance and regulation in the healthcare industry. Unfortunately, every once in a while, a real-world event illustrates the need for all of this vigilance and preparation.
A February 2024 attack on Change Healthcare reportedly impacted billing and care authorization portals, leading to prescription backlogs and missed revenue for providers. The breach also threatened payroll and, in some cases, patient care. The situation inspired high-level calls for action from Congressional leaders and medical organizations like the American Medical Association, who encouraged the Department of Health and Human Services to “use all its available authorities to ensure that physician practices can continue to function, and patients can continue to receive the care that they need.” The breach was the most significant of its kind to date, impacting physician practices across America, and thwarting patient access to the medical community.
The American Hospital Association indicated early on that hospitals and health systems may require “immediate federal support”, considering the massive reach of Change Healthcare’s systems. AHA President and CEO Rick Pollack called the attack “the most serious incident of its kind leveled against a U.S. health care organization.”
How many transactions were affected? Change Healthcare is owned by UnitedHealth Group and manages health care technology systems that are responsible for processing insurance claims and billing – at a rate of 15 billion transactions every year. According to government reports, United Healthcare has stated that 50% of U.S. medical claims travel through Change’s “electronic data interchange clearinghouse.”
According to a UnitedHealth Group spokesperson, the breach occurred on Feb. 21, 2024. Although immediate steps were taken to prevent further impact, the ramifications are still being felt nearly 3 weeks later.
March Updates
In a statement released on March 7, UnitedHealth Group indicated it had made “substantial progress” in response to what they called an unprecedented cyberattack on the U.S. health system. Noting that the attack targeted pharmacy, medical claims and payment systems, CEO Andrew Witty shared:
“We are committed to providing relief for people affected by this malicious attack on the U.S. health system. All of us at UnitedHealth Group feel a deep sense of responsibility for recovery and are working tirelessly to ensure that providers can care for their patients and run their practices, and that patients can get their medications. We’re determined to make this right as fast as possible.”
On March 13, 2024, the U.S. government revealed that an investigation into the cyberattack had been opened in order to determine whether there was a breach of protected health data (PHI) and if UnitedHealth Group had complied with U.S. health privacy law. Patient information is protected under the Health Insurance Portability and Accountability Act, or HIPAA. (Read More about HIPAA here)
Under HIPAA, healthcare clearinghouses, plans and providers are required to report breaches to individual consumers (patients) within 60 days of discovery. Experts believe that the scale and scope of his attack could make it challenging for UnitedHealth and other businesses covered by HIPAA to comply with their reporting obligations in this case.
Make Sure Your Healthcare Company is Ready
Although this data breach was massive in scale, it underscores the reality that not only is data at risk to cyberattack, but that corporations may be held liable for their ability to react and respond. All organizations that handle PHI should recognize the cautionary tale and immediately assess their capability to identify, repel and react to a cyberattack.
Alliance IT is dedicated to helping local business to fortify their IT systems and develop resiliency in their systems. If you are ready to learn more, call us today.