On February 21, 2024, Change Healthcare released information regarding a cyber security issue resulting in an enterprise-wide network interruption. Change Healthcare is part of the health services provider Optum, Inc., which is owned by UnitedHealth Group. By Thursday, February 22nd, both Change Healthcare and UnitedHealth acknowledged the issue and announced it was anticipated the threat could last beyond the 24-hour mark. In the notification to members, Change Healthcare reported an unauthorized access to its systems which may have exposed both individual and healthcare providers’ sensitive personal and financial information. The breach may involve a wide range of data types, including, but not limited to patient records, billing information, and administrative data. Several pharmacies, including CVS Health, Walgreens, Publix and GoodRx, released statements around how the cybersecurity issue impacted their operations and the steps taken to mitigate the risk of a breach of member data.
Coincidentally, on the same day as the Change Healthcare ransomware attack, the Department of Health and Human Services (HHS) settled its suit against Green Ridge Behavioral Health, in which the Maryland based practice agreed to pay $40,000 in response to the ransomware investigation the HHS Office for Civil Rights (OCR) conducted, which reported to impact more than 14,000 people in 2019. This agreement marks the second settlement of its kind. In its announcement OCR stated, “ransomware and hacking are the primary cyber-threats in healthcare.” Further OCR reports, there has been a “264% increase in ransomware” and a “256% increase in large breaches” resulting from hacking.
While it may be difficult to prevent a cyber-attack, OCR outlined some best practices that should be followed to ensure a covered entity is in the best position to protect itself. As covered entities, health plans, plan sponsors, and their business associates should implement the following in an effort to mitigate or prevent cyber-threats:
- Ensure audit controls are in place to record and examine information system activity.
- Utilize multi-factor authentication to ensure only authorized users have access to protected health information (PHI).
- Encrypt PHI and implement regular reviews of information system activity.
- Integrate risk management and analysis into business processes.
- Provide training specific to organization and job responsibilities and incorporate lessons learned from previous incidents.
HHS has released guidance to help covered entities and their business associates understand and respond to potential ransomware threats. This guidance can be found here.
