In an era where cyber threats loom large, the healthcare industry’s data security practices are under intense scrutiny. On February 21, 2024, Change Healthcare, a subsidiary of UnitedHealth Group, was the target of a cyberattack. This attack, attributed to the ALPHV/Blackcat ransomware group, disrupted over 100 systems, affecting claim processing and prescription services for millions of patients.
The breach prompted SEC regulatory filings, extensive forensic investigations, and a painstaking recovery process. With data theft confirmed, UnitedHealth is analyzing the stolen files to gauge the breach’s scope. Additionally, the company provided more than $3.3 billion in loans to healthcare providers facing operational delays. As systems are gradually being restored, the full timeline for recovery is uncertain.
UnitedHealth anticipates a potential loss of up to $1.6 billion for the fiscal year. Amid recovery efforts, a new ransomware group, RansomHub, claimed possession of the stolen data, intensifying the crisis. Scam calls targeting patients and criticisms of Change Healthcare’s recovery pace have emerged.
The Department of Health and Human Services issued guidance for affected entities; and, the Department of State is offering a reward for information on the ransomware group involved.
As the industry grapples with the fallout, the importance of HIPAA compliance and cybersecurity measures has never been clearer. Below are essential tips to bolster cyber defenses and ensure compliance:
Practical Tips for Healthcare Providers:
- Conduct Regular Risk Assessments. Periodically evaluate all computer systems to identify vulnerabilities and potential threats. (Following the HIPAA Minimum Necessary Rule)
- Implement Robust Access Controls. Ensure access to protected health information (PHI) is restricted to authorized personnel only.
- Employee Training. Regularly train and retrain staff on cybersecurity best practices and HIPAA regulations.
- Data Encryption. Encrypt electronic PHI both in transit and at rest to prevent unauthorized access.
- Backup Data. Maintain up-to-date data backups and test recovery procedures to minimize disruption during an attack.
- Incident Response Plan. Develop and regularly update an incident response plan to swiftly contain and mitigate cyber incidents.
- Patching and Updating. Keep software and systems updated with the latest security patches.
- Vendor Management. Ensure business associates and vendors are also HIPAA compliant and adhere to stringent security standards.
- Cyber Insurance. Consider obtaining cyber liability insurance to mitigate financial risks associated with data breaches.
As recovery efforts continue, the full extent of the legal and financial consequences of the cyberattack on Change Healthcare remains to be seen. It is a stark reminder of the ever-present cyber threats and highlights the urgent need for stringent healthcare governance and HIPAA compliance.
Is your healthcare practice prepared to face the complexities of HIPAA compliance and cybersecurity?
If you have any questions or need assistance navigating these critical issues, our legal experts are ready to help. Contact us today to ensure your data protection measures reasonably mitigate risks and your compliance is beyond reproach. Don’t wait for a breach to happen—proactive measures are key to maintaining patient trust and avoiding costly penalties.
If you would like to discuss the issues raised here, please contact Rosenblatt Law Firm at (210) 562-2900.