Protecting Patient Privacy: OCR’s Response to the Change Healthcare Cybersecurity Incident

In recent years, the intersection of healthcare and cybersecurity has become increasingly fraught with peril. Based on an OCR email released on Mar 13, 2024, “Ransomware and hacking are the primary cyber-threats in health care. Over the past five years, there has been a 256% increase in large breaches reported to OCR involving hacking and a 264% increase in ransomware. In 2023, hacking accounted for 79% of the large breaches reported to OCR. The large breaches reported in 2023 affected over 134 million individuals, a 141% increase from 2022”.

On March 18, 2024, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) issued a “Dear Colleague” letter addressing a significant cybersecurity incident impacting Change Healthcare, a unit of UnitedHealth Group (UHG), and numerous other healthcare entities across the nation. This cyberattack has disrupted critical healthcare and billing information systems, posing a direct threat to patient care and the essential operations of the healthcare industry.

The letter, signed by Melanie Fontes Rainer, Director of the Office for Civil Rights, underscores the gravity of the situation and OCR’s commitment to enforcing the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. These rules mandate stringent protections for protected health information (PHI) and require prompt notification to HHS and affected individuals in the event of a breach.

The scale of the cyberattack on Change Healthcare and its implications for patient care prompted OCR to initiate an investigation into the incident. The investigation will focus on determining whether a breach of protected health information occurred and assessing the compliance of Change Healthcare and UHG with HIPAA regulations. While OCR’s primary focus is on these entities, it also reminds other organizations that have partnered with Change Healthcare and UHG of their regulatory obligations, including the importance of maintaining robust business associate agreements and adhering to breach notification requirements.

In light of these challenges, OCR has provided a comprehensive set of resources to assist healthcare entities in bolstering their cybersecurity measures. These resources include educational materials on the HIPAA Security Rule, a video outlining how the Security Rule can mitigate cyberattacks, webinars on risk analysis requirements, a security risk assessment tool, guidance on dealing with ransomware, and healthcare-specific cybersecurity performance goals.

The letter underscores OCR’s commitment to supporting healthcare entities in navigating the complex landscape of health information regulations and cybersecurity threats. It urges all organizations to review their cybersecurity measures with urgency to ensure the continuity of patient care and the protection of sensitive health information.

In an era where healthcare relies increasingly on digital systems and interconnected networks, safeguarding patient privacy and securing health information is paramount. The collaboration between OCR and healthcare entities is essential in confronting the challenges posed by cyber threats and ensuring the integrity of our healthcare infrastructure.

As we move forward, it is imperative that healthcare organizations remain vigilant and proactive in their efforts to protect patient data. By leveraging the resources provided by OCR, adopting robust cybersecurity practices, and coordinating activities with industry experts can collectively fortify our defenses against cyber threats and uphold the trust and integrity of the healthcare system.