Breach Notification , Fraud Management & Cybercrime , Healthcare
State AGs Warn Consumers About Change Healthcare Breach
Regulators Urge Vigilance Against Fraud as the Wait for Notifications ContinuesRegulators in several states are warning consumers to stay vigilant against identity theft and fraud crimes as millions of patients across America await notification from Change Healthcare to learn whether they were affected by a massive February ransomware attack and data breach.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
On Tuesday, the attorneys general of several states - including California, Massachusetts and New Hampshire - issued alerts urging consumers to tap into available resources, including Change Healthcare's offer for two years of free identity and credit monitoring, as they await potential individual breach notices from the company.
The warnings reflect the states' frustration over the slow response by Change Healthcare and its parent company UnitedHealth Group in informing individuals that their data was breached.
"Typically, when there is a data breach impacting Massachusetts residents, consumers receive an individualized letter or email if their data was impacted. However, Change Healthcare has not yet provided individual notice to consumers," said Massachusetts Attorney General Andrea Campbell in the alert.
"Change Healthcare has publicly stated that the data breach, which interrupted operations for thousands of doctor's offices, hospitals and pharmacies, could impact up to one-third of all Americans. It also resulted in Americans' sensitive health and personal data being leaked onto the dark web - a hidden portion of the Internet where cyber criminals buy, sell and track personal information," the alert says.
"Given the delay between the data breach and notification to those impacted, the Massachusetts Attorney General's Office is publicizing not just the breach, but also resources, including the offer that Change Healthcare has provided to the public," the alert says.
Massachusetts, California, New Hampshire and other states that issued warnings also joined with 22 state attorneys general in June to send a letter to UHG CEO Andrew Witty, urging the company to provide more transparency and to take "meaningful action" to protect healthcare entities, pharmacies and patients affected by the incident (see: State AGs, Industry Groups Urge Action in Change Health Saga).
Under the HIPAA breach notification rule, covered entities are required to notify affected individuals and the U.S. Department of Health and Human Services' Office for Civil Rights within 60 days of discovering a breach that compromises protected health information of 500 or more people. Many states also have their own breach notification requirements and deadlines.
UnitedHealth Group has offered to handle individual breach notification and regulatory reporting for affected organizations that request that service from the company.
In late June, Change Healthcare began to notify clients affected by the incident and said that breach notification to affected individuals was not likely to start until late July (see: Change Healthcare Begins to Notify Clients Affected by Hack).
"Some customers were told that their PHI was involved in the incident, while others were told that, to date, based on its ongoing data review, CHC has not found any of their PHI," said regulatory attorney Sara Goldstein of the law firm BakerHostetler, who is working with some organizations affected by the Change Healthcare incident.
"However, many CHC customers did not receive any update from CHC. According to CHC, the data review is in its late stages of identifying specific covered entities and their specific individuals impacted by this incident," she told Information Security Media Group.
If during the data analysis PHI pertaining to additional covered entities is identified, CHC will send them an update on their findings, Goldstein said.
"It is possible that CHC customers that were told that, to date, their PHI was not identified in the incident, or have not received an update from CHC yet, may receive notice from CHC that their PHI was involved as the data analysis is ongoing."
For clients that Change Healthcare determined were affected by the breach, the company said it would handle all notifications to individuals and regulators on their behalf, as well as HIPAA substitute and regulatory notices, unless the CHC customer opted out of having CHC handle notifications on their behalf by July 8, Goldstein said.
"For those CHC customers that do not opt out, CHC stated that notices would be mailed to their members and patients starting late July."
In the meantime, some Change Healthcare clients have posted on their own websites links to the substitute HIPAA breach notice Change Healthcare issued on June 20.
While HHS OCR announced in March that it had launched an investigation into the Change Healthcare cyberattack and would scrutinize whether the company or its parent UHG has violated the HIPAA rules, some experts said there is also a strong possibility that states will pursue their own investigations.
"The HITECH Act gave state attorneys general the authority to bring civil actions on behalf of state residents for violations of the HIPAA privacy and security rules," Goldstein said.
Attack Details
Ransomware group BlackCat has claimed credit for the massive attack on Change Healthcare, which severely disrupted more than 100 IT services and products used by thousands of healthcare sector entities across the U.S .for several weeks, including everything from preauthorization and claims processing to prescription filling.
UnitedHealth Group CEO Witty testified before two congressional committees in April that the company paid the attackers a $22 million ransom demand in the incident (see: UnitedHealth CEO: Paying Ransom Was 'Hardest Decision' Ever).
But another group RansomHub claimed to have custody of 4 terabytes of stolen Change Healthcare data.
RansomHub in April began leaking some 22 files of UHG's stolen data after a BlackCat affiliate alleged they were scammed out of their cut of the $22 million attack bounty that initially UHG supposedly paid. But RansomHub removed the leaked data from its dark web site after a few days, fueling speculation that UHG had paid a second ransom to suppress the release of the stolen data.
UnitedHealth Group declined ISMG's request for an update on the investigation into the incident and for comment regarding the company's individual notification plans and timeline. HHS OCR did not immediately respond to ISMG's request for comment.