

Change Healthcare Not Alone
Hospitals and other health care providers have been especially vulnerable. The Office for Civil Rights
at the U.S. Department of Health and Human Services, which tracks data breaches affecting 500
or more individuals, reported 872 breaches on its website between March 21, 2022, and March 25,
2024, with the vast majority “hacking/IT incident(s)” rather than unauthorized access/disclosures.
The companies targeted include a mix of physician practices, hospitals, integrated health
systems, medical device makers, pharmacies, health care billing systems and health plans,
according to the OCR’s report, which has been nicknamed the “HIPAA Wall of Shame.” HCA
Healthcare, a leading health system, reported a breach that affected more than 11 million patient
records at the end of July 2023, the report said.
Regulatory and Legal Response
Change Healthcare filed a petition supporting a move to have the 24 legal actions filed against
the company as of April 2 to be heard in the Middle District of Tennessee, which is in Nashville.
“Key custodians, witnesses, and evidence—including many Change corporate records,
documents, and servers—are in Tennessee,” Change said in its filing, which also noted the first
and the majority of legal actions were filed in this court.
In the wake of the Change Healthcare cyberattack, U.S. Sen. Mark Warner introduced legislation
allowing for advance and accelerated payment to impacted health care providers who, along
with their vendors, meet minimum cybersecurity standards. The attack on the UnitedHealth
Group subsidiary “paralyzed billing services for providers nationwide, leaving many in danger of
becoming financially insolvent,” the Virginia senator said in a statement.
The Health Care Cybersecurity Improvement Act of 2024 introduced by Warner would modify
the existing Medicare Hospital Accelerated Payment Program and the Medicare Part B Advance
Payment Program.
“It was only a matter of time before we saw a major attack that disrupted the ability to care for
patients nationwide,” Warner said. “The recent hack of Change Healthcare is a reminder that
the entire health care industry is vulnerable and needs to step up its game. This legislation would
provide some important financial incentives for providers and vendors to do so.”
The effects of the attack have rippled throughout the U.S. health care system. HHS Secretary
Xavier Becerra and U.S. Department of Labor Acting Secretary Julie Su called on UnitedHealth,
other insurers, clearinghouses and health care entities to do more to mitigate harm to patients
and providers. State officials and health care organizations have done the same.
States, including Arkansas, also are taking action after the attack on Change. Arkansas Attorney
General Tim Griffin said his office will investigate Change Healthcare under the state’s Personal
Information Protection and Deceptive Trade Practices Act. Griffin said he wants to know if
confidential medical information was compromised and/or laws violated.
“Additionally, my office will look into whether Change Healthcare used reasonable security procedures
and practices to protect this information as required by Arkansas law,” Griffin said in a statement.
The Maryland Department of Health said it determined that the Change cyberattack didn’t
immediately or directly put the department at risk. ”However, we continue to monitor the impact
of this outage on providers and patients,” it said on its website.
Renée Kiriluk-Hill
Senior Associate Editor
Best’s News
Copyright © 2024 A.M. Best Company, Inc. and/or its aliates. All rights reserved.