Change Healthcare and United Health Group Cyber Attack

What You Need to Know

For those who have been affected by Change Healthcare (even if you have not been affected) here is what BTC is recommends:

HHS Email

Today, 4.22.2024 HHS OCR sent an email update regarding the Change Health Care Cyber-attack.

• HHS posted a new FAQ webpage https://www.hhs.gov/hipaa/for-professionals/special-topics/change-healthcare-cybersecurity-incident-frequently-asked-questions/index.html
• Open investigation: OCR confirmed that there is a full investigation of Change Healthcare and United Health Group (UHG). UHG and UHC (UnitedHealthcare) are associated, however UHG does process claims for other companies as well.  Change Healthcare may have a hand in your claims even if they are not your clearing house.
• Breach notification: UHG has not yet issued a breach notification, they have 60 days.
• There are currently no instructions for providers who are covered entities in association with UHG and Change HealthCare s business associates. Likely that will change once they issue their breach notification.
• HIPAA Reminders: HHS reminds providers to use HHS Security Risk assessment tools and review Factsheet: Ransomware and HIPAA https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/ransomware-fact-sheet/index.html

Summary of What Happened.

• Change HealthCare and United Health Group (UHG) had a ransomware attack.
• The breach was caused by ONE employee download that allowed access to the database.
• Ransomware is when data is stolen and held at a ransom for payment. Sometimes they threaten to leak the data, sometimes they remove it so you no longer have access.  However, in most cases when payment is made, data leaks still occur.
• Many providers are seeing a delay in payment, claims submission, insurance verification, etc.
• Change Healthcare and UHG are working to get services up and running. They are focusing on pharmacy services first so patients can maintain their medications.

What Do We Recommend You Do?

1. Be Informed: Know if you are using Change Health Care of UHG ask your biller if you are unsure.
2. Pay attention: Watch for any correspondence from UHC. Change Healthcare, UHG, your EHR provider, HHS, or your clearinghouse.
3. Complete: If you have not done so already complete a Security Risk assessment for 2024. This is the number one item HHS is looking for providers to complete when they do a HIPAA audit. BTC AVM 950 in the Compliance Classroom will take you step by step through the process.
4. Retrain: Retrain your staff on HIPAA Security and Review your HIPAA Security Procedures. This major breach was caused by one employee.   BTC Form 1158 HIPAA Security Policies and Procedures
5. Consult: Consult with your IT personnel.
   1. Do you have security in place?
   2. Do you have verified backups?
   3. Can employees approve downloads?
6. Review: Other resources
   1. BTC Form 1159 F HIPA Security Contingency Plan Responding to Ransomware.
   2. BTC Form 1168A HHS Updates on Ransomware
   3. BTC Form 1168B Ransomware Fact Sheet
   4. BTC Form 1156 Security Reminders – Team Training
   5. BTC Form 1158 HIPAA Security Policies and Procedures
   6. BTC AVM 516 HIPAA Security Standards
   7. BTC 519A HIPAA Fax And Email Security