Tag: Change HealthCare Cybersecurity Incident
UHC Major Data Breach
Just four months after the Change Cyberhack, UnitedHealth Care is hit again.
Community Health Centers (CHC), has disclosed a major data breach. CHC has revealed that a “substantial quantity of data” was stolen, impacting a “substantial proportion of people in America.” UnitedHealth’s CEO Andrew Witty estimated one-third of all Americans have been affected by the breach. That is over 111 million people.
“While CHC cannot confirm exactly what data has been affected for each impacted individual, information involved may have included contact information (such as first and last name, address, date of birth, phone number and email.
This means that millions of individuals could be at risk of identity theft and other forms of fraud.
Physicians Can Delegate Breach Notifications to Change Healthcare
However, this delegation is only allowable if Change Healthcare or UHC are business associates of the covered entity. OCR made clear that the ultimate responsibility for ensuring such notifications occur remains with the covered entity, meaning physicians may still need to provide breach notifications under those circumstances.
FTC Mandates Vendors Notify Patients of Breaches
The Federal Trade Commission (FTC) has amended its Health Breach Notification Rule to require vendors of personal health records (PHR) and related entities not covered by HIPAA to notify individuals, the FTC, and, at times, the media, when a breach in protected health information (PHI) occurs. The change will take effect July 29.
Physicians do not have to notify patients if their PHI is leaked via a PHR vendor that is not a business associate of the physician. That responsibility falls to the vendors themselves.
UHC Responsible for Breach Notifications
The Health and Human Services (HHS) Department announced Friday (May 31, 2024), United HealthCare must take responsibility for informing people about privacy breaches resulting for the the Change Healthcare cyberattack.
UnitedHealth Group previously disclosed that the ransomware attack exposed personal information of a “substantial portion” of Americans.
That “substantial portion” turns out to be 1 in 3 Americans.
“OCR must affirm its position that the breach was perpetrated upon Change Healthcare, whose status as a healthcare clearinghouse makes them a covered entity under HIPAA and thus responsible for the breach of any [protected health information] which it processes or facilitates the processing of,”
Under HIPAA, UnitedHealth Group must provide affected individuals with descriptions of the incident, what data were compromised, how the company responded to the attack, how the company can be reached and what individuals can do to protect themselves.
Cyberattack Added to MIPS Hardship Exemption
Due to the ongoing impact of the Change Healthcare cyberattack on an increasing number of physician practices, the Centers for Medicare & Medicaid Services (CMS) has added an option to cite the cyberattack when requesting a hardship exemption within the 2024 Merit-based Incentive Payment System (MIPS).
CMS has added the option to the Extreme and Uncontrollable Circumstances (EUC) application. The 2024 MIPS EUC portal is now open, and physicians have until Dec. 31 to file a hardship application and avoid a 2026 MIPS negative payment adjustment
Virtual Vigilance
“The Change outage was disruptive to the business of my practice, but most importantly it was disruptive to my patients,” Dr. Bruggeman testified. “Every minute my staff spent trying to reconcile [electronic remittance advice] with received payments, assessing which patients received incorrect bills, [and] resubmitting prior authorizations is time taken away from patient care.”
Robust Cybersecurity Can Safeguard Practices
By Alisa Pierce Texas Medicine June 2024
Data held hostage
. . . cautions that ransomware attacks can be delivered via multiple platforms, such as in email attachments or links within an email. Malicious attachments can include documents, zip files, and executable applications, and suspicious email links can bring users directly to websites that are used to place malware on a system.
Similarly, “phishing” email scams can give hackers access to internal business systems that could reveal confidential information like credit card numbers, personal identity data, and passwords. Often these emails appear to come from real companies or trusted individuals.
From there, hackers steal electronic patient data, even encrypted information; block the practice from accessing it; and demand a ransom for its return, much like “a hostage situation,” according to Shannon Vogel, TMA’s associate vice president of health information technology.
If that data aren’t backed up, practices don’t have much leeway. At that point, they can either hope the data can be retrieved by law enforcement or move forward without patient records.
“It’s vital that practices talk to their [electronic health record] and other vendors about redundant systems so that all is not lost,” Ms. Vogel said. “Otherwise, it would be like starting from scratch.”
Cigna and Zelis
If you have accidently signed up to receive virtual credit card (VCC) payments, and would like to change back to Automated Clearinghouse (ACH), please call Zelis.
Zelis Customer Service:(877) 828-8770
If you have questions regarding claim payments, please contact Cigna Healthcare Provider Service Line (800) 882-4462.
UHC Notably Absent from Congressional Hearing
Quotes from Texas Medicine 4/19/2024, Emma Freer Article
“The attack has exposed the vulnerability in our health care system and the disproportionate burden placed on physician practices by insurers, government payers, and third-party vendors,” Dr. Bruggeman told lawmakers.
“The Change outage was disruptive to the business of my practice, but most importantly it was disruptive to my patients,” he said. “Every minute my staff spent trying to reconcile [electronic remittance advice] with received payments, assessing which patients received incorrect bills, [and] resubmitting prior authorizations is time taken away from patient care.”
“To add insult to injury, some of these practices were purchased by Optum during the crisis,” he said. “There were even reports of Optum using the financial emergency caused by the cyberattack on its own subsidiary as legal justification to expedite its acquisition of physician practices.”
In the meantime, Dr. Bruggeman called on Congress to pass legislation that would insulate physician practices from industry consolidation and other existential threats.
“Allowing physicians to practice in the setting that is best for them, their patients, and the broader community should be the hallmark of our United States health care system,” he said. “Instead, the increase in administrative burden, including the new threat of potential cyberattacks, makes such events catastrophic for many providers.”
For the full very interesting article: https://www.texmed.org/TexasMedicineDetail.aspx?id=64062&utm_campaign=TMT&utm_medium=email&_hsenc=p2ANqtz-9E4jpFAqBr1fYThi6pjc3ECIrkJtF4-urerPcLF78JmZ4BixUPkxoA-ngiRvbPx06ORd5U2bsbiOEFK-CaqUP6-URb8jMZ6SEHyZL-aPXwfFmCQ9w&_hsmi=303492305&utm_content=303492305&utm_source=hs_email
Change Healthcare Update
In its latest update on the response to the cyberattack on Change Healthcare, UnitedHealth Group said that its largest clearinghouse, called Relay Exchange, will be back online by the end of the weekend and the company will begin processing $14 billion in medical claims.
“Once a critical mass of payer connectivity has been established, we will turn on claims processing for Assurance customers. That process will occur automatically for those Assurance customers when we trigger restart,” UnitedHealth said in its update. “Following activation of Assurance software customers, we will turn our attention to the reactivation of all other Relay Exchange claims submitters. Throughout the reactivation of these provider customer groups, we will continue to add additional payer connectivity to close any remaining gaps. We will start immediately with establishing payer connectivity so claims entering the clearinghouse have a destination.”
The company is targeting the week of April 1 to restore its clinical exchange service, payer connectivity and hosted payer services.
The following week, April 8, the company plans to restore its Risk Manager and Health QX products.
Recent Comments