The Medical Group Management Association is requesting the OCR hold UnitedHealth and Change Healthcare responsible for alerting individuals of the massive breach.
What happened
As one of the biggest cybersecurity events in history, the Change Healthcare ransomware attack continues to draw massive attention from lawmakers, healthcare organizations, and the public.
It’s estimated that nearly 30% of Americans have had data impacted in some capacity. While UnitedHealth ultimately paid a $22 million ransom to the extortion group, BlackCat, they still face threats from other actors, now aligned with RansomHub, who may have been involved. Despite paying the ransom, data still found its way to the dark web.
Senior Vice President of Government Affairs for the Medical Group Management Association, Anders Gilberg, stated that approximately 15,000 medical group practices have been impacted. Now, MGMA is concerned about the administrative work of alerting patients of data leaks.
What’s new
HIPAA breach notification rules require organizations to alert impacted individuals of a data breach within 60 days of discovery.
Change discovered the network breach as early as February 21st. According to one lawsuit, Change should have submitted an initial breach report by or on April 21st. The magnitude of the breach likely resulted in delays, but no notices have been released yet.
In late April, UnitedHealth Group stated it would “help ease reporting obligations on other stakeholders whose data may have been compromised as part of this attack.”
The organization further agreed to “make notifications and undertake related administrative requirements on behalf of any provider or customer.”
In a letter to the OCR, Gilberg stated there is still “confusion surrounding the extent to which protected health information and personally identifiable information have been improperly disclosed…to whom, and on whom the burden of providing HIPAA-required breach notifications to both your office and affected patients will fall.”
While Gilberg is hopeful that Change will bear the administrative burden, without any official agreement, MGMA worries the promise may be empty.
“As more patients become aware of the possible disclosures of their sensitive PHI and PII, they will turn to their providers for information and assurances, neither of which can currently be provided,” he added.
What’s next
While Change has not made any official agreements regarding notifications, they will likely face increasing pressure from the public, the OCR, and impacted organizations.
MGMA specifically is asking the OCR to clearly state the following “1) Responsibility for breach notifications rests solely with Change and United; 2) Providers that are completely innocent in this unique situation will be spared any regulatory scrutiny; and 3) Your office will ensure that Change and United fulfill the promises they have made in a prompt and transparent manner.”
The big picture
As the OCR decides how to respond to these requests, there is still significant uncertainty regarding who, and what, data may have been impacted. Even if Change Healthcare has the best intentions to swiftly alert impacted individuals, it may not be so simple; with such a high number of affected individuals, sending notifications will likely be another huge and costly endeavor.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
