Change Healthcare (CHC) – HIPAA Breach Notifications

Change Healthcare, owned by UnitedHealth Group, provides services to health care providers, health insurance plans and other companies. In CHC’s role in providing services to providers and plans, personal and/or health information is stored. This role includes the submitting and processing of health insurance claims and pharmacy benefits.

In late February 2024, CHC was a victim of a ransomware attack where it announced that the impacted data could cover a “substantial proportion” of individuals here in the United States. To learn more from CHC, click here.

Due to the extensive number of patients that were impacted, HHS released a FAQs page regarding the incident. Those FAQs also include a reminder that covered entities have an obligation to safeguard PHI and the FAQ includes tools to assist with this. HHS also confirmed that the Office of Civil Rights (OCR) initiated an investigation of the breach.

Note: This incident serves as another reminder to those that sponsor group health plans. Group health plans are HIPAA covered entities that must comply with HIPAA privacy and security rules, amongst other obligations. Contact your IMA rep to learn more.

Change Healthcare contacted affected parties regarding the incident and offered to have those parties’ notification duties delegated to Change Healthcare, according to communications received by group health plan administrators on June 20, 2024.

A vast amount of information was compromised in this incident, and affected individuals should be notified to mitigate any potential harm. However, the lack of available information in this case has made it difficult for employers to know who to notify, and what to tell them – and a blanket notification of a potential threat to personal information would likely cause more confusion than clarity. For now, we recommend that employers delegate notification duties to CHC to ensure that their participants get the latest information.

Note: If your organization did not receive a letter from CHC, presumably, none of your plan information was part of the breach. This means you don’t need to take any action.

IMA will continue to monitor regulator guidance and offer meaningful, practical, timely information. This material should not be considered as a substitute for legal, tax and/or actuarial advice. Contact the appropriate professional counsel for such matters. These materials are not exhaustive and are subject to possible changes in applicable laws, rules, and regulations and their interpretations.