The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter on March 13 to address the cybersecurity incident currently impacting Change Healthcare, a unit of UnitedHealthcare Group (UHG), and other healthcare entities.
OCR “enforces the HIPAA Privacy, Security, and Breach Notification Rules, which sets forth the requirements that HIPAA covered entities…and their business associates must follow to protect the privacy and security of protected health information and the required notifications to HHS and affected individuals following a breach.”
There has been a “256% increase” in large security breaches reported to OCR over the past five years “involving hacking and a 264% increase in ransomware.” The large breaches reported in 2023 alone “affected over 134 million individuals, a 141% increase from 2022.”
The letter from the OCR itself emphasizes the “direct threat to critically needed patient care and essential operations of the health care industry” caused by the cybersecurity incident that started in late February. They announce that they will be investigating the incident due to its “unprecedented magnitude” in order to determine “whether a breach of protected health information occurred and Change Healthcare’s and UHG’s compliance with the HIPAA Rules.” The letter also encourages “entities that have partnered with Change Healthcare and UHG of their regulatory obligations and responsibilities, including ensuring that business associate agreements are in place and that timely breach notification to HHS and affected individuals occurs as required by the HIPAA rules.”
OCR also shares a list of resources in the letter “to assist [companies] in protecting [their] records systems and patients from cyberattacks,” which include videos, webinars, and factsheets on ransomware, HIPAA, and Healthcare and Public Health (HPH) cybersecurity performance goals.
The press release and the full text of the letter can be found on HHS’s website.
