Change Healthcare, owned by UnitedHealth Group, provides services to health care providers, health insurance plans and other companies. In CHC’s role in providing services to providers and plans, personal and/or health information is stored. This role includes the submitting and processing of health insurance claims and pharmacy benefits.
In late February 2024, CHC was a victim of a ransomware attack where it announced that the impacted data could cover a “substantial proportion” of individuals here in the United States. To learn more from CHC, click here
Due to the extensive number of patients that were impacted, HHS released a FAQs page regarding the incident. Those FAQs also include a reminder that covered entities have an obligation to safeguard PHI and the FAQ includes tools to assist with this. HHS also confirmed that the Office of Civil Rights (OCR) initiated an investigation of the breach.
Change Healthcare contacted affected parties regarding the incident and offered to have those parties’ notification duties delegated to Change Healthcare, according to communications received by group health plan administrators on June 20, 2024.
A vast amount of information was compromised in this incident, and affected individuals should be notified to mitigate any potential harm. However, the lack of available information in this case has made it difficult for employers to know who to notify, and what to tell them – and a blanket notification of a potential threat to personal information would likely cause more confusion than clarity. For now, we recommend that employers delegate notification duties to CHC to ensure that their participants get the latest information.
