Radiology providers not responsible for breach notifications after Change cyberattack, HHS says
Health and Human Services on Friday responded to radiology groups’ lingering concerns in the aftermath of the Change Healthcare cyberattack.
The agency emphasized that the payment processing firm—and not imaging groups—is responsible for notifying healthcare consumers and the media about the incident. On May 20, the American College of Radiology, American Society of Neuroradiology, Society of Interventional Radiology and others had written HHS, worried their members would be saddled with this responsibility.
Office for Civil Rights Director Melanie Fontes Rainer emphasized that patients impacted by the Feb. 21 incident “must be notified that their protected health information was breached.”
“This ensures that the potentially millions of Americans—including the elderly, the disabled, those with limited English proficiency, those with limited access to technology, and more—will understand the impact of this breach on their private medical records and their healthcare,” she said in a statement provided May 31. “Affected covered entities that want Change Healthcare to provide breach notifications on their behalf should contact Change Healthcare. All of the required HIPAA breach notifications may be performed by Change Healthcare. We encourage all parties to take the necessary steps to ensure that the HIPAA breach notifications are prioritized.”
HHS further emphasized that only one entity, in this case Change Healthcare, needs to notify patients, government officials and (where applicable) the media. The agency also provided an updated frequently asked questions document further hashing out these obligations.
“OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples’ health information,” the Office for Civil Rights noted.
It’s unclear how many radiology groups and patients have been impacted by the cyberattack. Change parent company UnitedHealth Group has said, given the complexity of the data review, it will likely take “several months” before “enough information will be available to identify and notify impacted customers and individuals.”
During imaging industry giant RadNet’s recent quarterly earnings call, leaders said the company’s accounts receivable balance was at nearly $190 million as of March 31. That represents a nearly $26 million increase from the end of 2023 and is primarily the result of some collection delays resulting from the Change cyberattack.