Cyberattacks on Change Healthcare, Bay Area Heart Center, and Greater Cincinnati Behavioral Health Services

Change Healthcare Responding to Cyberattack

Healthcare billing and data systems provider, Change Healthcare based in Nashville, TN has announced that it suffered a cyberattack that has resulted in network disruption. The cyber attack was noticed on February 21, 2024, and prompt action was taken to contain the incident and avoid further consequences.

The Change Healthcare cyberattack has prompted business-wide connectivity problems and cybersecurity professionals are working 24/7 to mitigate the attack and reestablish the affected systems.

UnitedHealth Group is the owner of Change Healthcare and the healthcare organization Optum. Change Healthcare provides prescription processing services through Optum which offers services to more than 67,000 U.S. pharmacies and assists 129 million patients. Change Healthcare processes more than 15 billion healthcare transactions each year and states that one in three patient files in the United States are managed by its clinical connectivity solutions. Tricare utilizes the Change Healthcare, offering support to the medical care company of the U.S. military, as well as all military pharmacies, treatment centers, and hospitals that have been impacted by the problem triggered by the Change Healthcare attack, and retail pharmacies throughout the country are encountering delays processing prescription medications and could not to send purchases by way of insurance plans.

In a regulatory filing with the U.S. Securities and Exchange Commission (SEC), UnitedHealth stated that Change Healthcare had encountered a cyberattack that affected many systems. At this point in the incident response, it is quite early to tell if any patient data was exposed or stolen because of the attack. The two healthcare companies could give a schedule concerning the restoration of systems online.

UnitedHealth stated in its SEC filing that it believes the cyberattack was carried out by a nation-state, instead of a cybercriminal group, however did not offer additional data on that speculation. That announcement is concerning, with the recent alerts about China retaining access to critical infrastructure companies in the U.S. along with the new sanctions about to be imposed on Russia in reaction to the demise of Alexei Navalny.

There are likewise concerns that the cyberattack can extend to the pharmacies linked to the Optum system. The American Hospital Association (AHA) has released an alert to all members that they ought to quickly disconnect from the Optum system as a safety measure. All healthcare providers that were impacted or are likely exposed by this cyberattack are advised to disconnect from Optum until it is deemed safe to reconnect to Optum. AHA in the meantime switched to manual processes.

What is HIPAA and does this Cyberattack Break the Rules?

All healthcare companies that have electronic transactions involving protected health information (PHI) need to adhere to the Health Insurance Portability and Accountability Act (HIPAA), which enforces minimum criteria for privacy and security. The HIPAA Privacy Regulation forbids disclosure of PHI to unauthorized persons. The HIPAA Security Rule calls for safeguards to be enforced to protect the integrity, confidentiality, and availability of electronic protected health information (ePHI).

When an unauthorized individual acquires access to systems that contain PHI, it is considered an impermissible PHI disclosure and is a reportable HIPAA breach. When a cyberattack brings about getting access to PHI, it is not necessarily a HIPAA violation. The HIPAA Security Law requires the identification of risks and vulnerabilities, managing those risks, and reducing them to a reasonable and appropriate level. The HIPAA Security Regulation does not require the eradication of risks and vulnerabilities entirely.

The priority after the discovery of unauthorized system activity must be to control the incident and make sure that the threat actor is taken from internal systems. Systems should be safely re-established on the web and the nature and scope of the incident affirmed through a forensic investigation. If it is confirmed that patient information was compromised, the breach report has to be sent to the Department of Health and Human Services (HHS) and the impacted people must be sent individual notifications within 60 days of discovering a data breach.  All data breaches involving more than 500 records are investigated by Eric to know if they were due to a failure to comply with the HIPAA Rules and financial penalties may be enforced for noncompliance.

50,000-Record Data Breach at Greater Cincinnati Behavioral Health Services

In December 10, 2023, Greater Cincinnati Behavioral Health Services (GCBHS) suffered a cyberattack. The incident resulted in system interruption and blocked access to some of its IT systems. Quick action was undertaken to control the incident. Third-party cybersecurity specialists investigated the attack and assisted with the breach mitigation.

GCBHS mentioned the forensic investigation is underway yet evidence has been identified that suggests an unauthorized third party accessed documents that contain patient information. The files are still being examined and notices will be given when that course of action is done. GCBHS mentioned the exposed information consists of names, demographic details, driver’s license numbers, Social Security numbers, dates of birth, and medical data. GCBHS stated it has enforced more security tools and will be giving the affected individuals no-cost credit monitoring and identity theft protection services. The breach report was submitted to the HHS’ Office for Civil Rights indicating that up to 50,000 patients were affected.

Cyberattack on Business Associate Impacts Bay Area Heart Center

Bay Area Heart Center located in Florida is impacted by an attack and data breach that occurred at Bowden Barlow Law. Bowden Barlow Law serves as a business associate, which offers debt recovery solutions to Bay Area Heart Center. The law company carried out a forensic investigation which affirmed that the PHI of 11,709 Bay Area Heart Center patients was exposed in the cyberattack. The affected data was restricted to names, addresses, dates of service, full and partial Social Security Numbers, limited claims information, and insurance policy numbers. Bowden Barlow Law improved its cybersecurity and is giving the affected persons complimentary credit monitoring services for 12 months.