Change Healthcare and United Health have put out additional information.
I know most clinicians won't but I'm making the decision to give my clients a heads-up right now given:
a) Change Healthcare seems to be offering people who call two years of free credit monitoring, &
b) They say it will take months before they notify anyone what data was actually breached, &
c) Data on a huge percentage of the US population has been breached.
I'm posting a few quotes below with my commentary in red. Those interested should read the articles at the links provided for more.
"Change Healthcare says data stolen by hackers in a February cyberattack likely covers a 'substantial proportion of people in America.'"
It's a huge breach -- almost certainly effects your clients. 1 in 3 patient records nation-wide effected.
"The company set up a website and hotline for more information on the data breach and is offering two years of free credit monitoring and identity theft protection for anyone affected."
"A dedicated call center is available to offer free credit monitoring and identity theft protections for two years to anyone impacted." Call 1-866-262-5342
Given that they are offering credit monitoring in advance of knowing who/what data was breached, I'm guessing they are giving it to anyone who calls. Hopefully.
Even if your clients don't care about medical data being leaked, the data could also be such that thieves could establish credit in client's names. So everyone needs to lock down their credit and monitor from now on.
"Given the ongoing nature and complexity of the data review, it is likely to take several months of continued analysis before enough information will be available to identify and notify impacted customers and individuals."
Don't expect any timely information. Lock your credit down now.
"To help ease reporting obligations on other stakeholders whose data may have been compromised as part of this cyberattack, UnitedHealth Group has offered to make notifications and undertake related administrative requirements on behalf of any provider or customer."
This would seem to imply they will do formal breach notifications for providers. Someday... Tell me more please how to make this happen...
But... see article below...
"Change Healthcare Service Restoration"
They claims their systems are back to 80%+ operational status. Read for details, but really -- what matters is if you have noticed if your claims submissions, EFT, and ERA are working again.
One wonders how vigilant they will be given this story.
"HHS said it has not received a breach notification from UnitedHealth's subsidiary Change Healthcare in the wake of the February cyberattack it suffered." (as of April 19th)
"HHS did say HIPAA-covered entities have at least 60 days to report a breach from the date it was discovered. The Change hack occurred Feb. 21."
"Additionally, HHS said any covered entities that have been affected by the breach must report it if protected health information has been compromised."
Huh. So... United Health seems to be saying they will undertake breach notifications on the part of any provider, but HHS says it is our responsibility. I'm confused.
My non-legal speculative opinion is that this is not yet my problem as I have not been notified of any breach by United Health or Change Healthcare. Right? Won't be so for months.
-- Michael
--
Michael Reeder, LCPC
Hygeia Counseling Services : Baltimore / Mt. Washington Village location http://www.hygeiacounseling.com - main website.